How do I find the bot on my network?
How do I find the bot on my network?
People often find that they have a XBL listing that corresponds to the network address translation (NAT) IP for a local area network (LAN), and that identifying the infected machine can be extremely difficult.
This FAQ goes over a number of methods for identifying infected machines on a LAN. Many of these methods require specific technical knowledge to implement.
The first thing to do is to secure the firewall to limit access to outbound on port 25, allowing only SMTP server(s) on the local network. Remote sending of email to servers on the Internet should still work if web-based, or configured properly to use port 587 using SMTP-AUTH.
Once that is done, that still leaves the problem of finding the infected device. Unfortunately, we can only see traffic coming from the NAT IP; anything inside the network is visible only to someone with admin access. We hope the following information will help.
Why is my AV/AM scan not finding anything?
These days many bot infections cannot be found by anti-virus or anti-malware “cleaners”. This means you can spend a lot amount of time and effort running your A/V tools on every device on your LAN and find absolutely nothing – or find something that is not related to the XBL listing.
As a result of this, even if it is known which device is infected, usually the A/V tools can not fix them; the software will have to reinstalled.
What am I looking for?
You are attempting to find out which device is making unwanted connections on port 25. When dealing with a large network (such as an office building) you will want to use some kind of network sniffer or firewall logging tool. Many of these tools require significant network administration expertise: if necessary, a consultant or other professional that understand these tools should be hired. The simplest methods in the “Centralized Detection”section use a network sniffer or firewall logging.
- If your LAN uses an ethernet hub (not a network switch or router), or your firewall is a generalized computer (eg: Linux or Windows server acting as a firewall) go directly to the port 25 sniffing section below.
- If you’re not using a hub, sniffing is still possible, but it’s harder, and using one of the per-machine methods may be simpler. If you have a decent firewall that has logging capabilities, go to the section on Firewall logging.
What am I NOT looking for?
XBL catches things that do not go through normal mail servers. These spambots have their own proxy or SMTP client built in, and they connect directly to the internet on port 25, bypassing any legitimate SMTP server.
- SMTP server logs will show nothing.
- Telnetting to the mail server on port 25 will not work to determine the HELO value. Telnet to port 25 on the mail server shows the “banner”, not the HELO.
- HELO settings can be tested by sending an email from the listed IP to “firstname.lastname@example.org”. A bounce that contains the required information will be returned immediately. It will look like an error, it is not. Please examine the contents of this email. (Note: this does not work with IPv6 at this time)
- If the HELO value is expected and correct, there is another problem, usually malware or a spambot.
Methods to try on individual devices
The methods in this section require that each device in the LAN be checked one at a time.
- If there are a number of devices to check, downloading some of the tools we mention and putting them on a USB key can help.
NOTE: We recommend trying the tools mentioned here before spending a lot of time on A/V scanners.
tcpview/tcpvcon (Windows OS) [EASY TO USE]
The tools “tcpview” and “tcpvcon” are free and can be downloaded from Microsoft
- Navigate to where you’ve placed “tcpview”, and run it. It will display all of the programs that have network connections open – naming the program, protocol, local address and port, remote address and port and state.
- You’re looking for lines that show these in the remote address: “:smtp” or “:25”. This indicates a remote email connection.
- A correctly set up device that uses SMTP-AUTH on port 587 or 465 should not show any of these.
- When a connection is freshly established, the corresponding line is green and when the connection ends, it is shown in red briefly before disappearing.
- If you have found the device with a spambot, the display will show numbers of green “:smtp” lines appearing and red “:smtp” lines disappearing. Watch the display for a few minutes to see if any “:smtp” lines show up and disappear. If they do, then that device has a spambot!
CAUTION! If you find a device with the bot showing up on tcpview, do NOT simply delete the corresponding program. It is probable that it is an infection inside a legitimate Windows program! Simply deleting it could cripple the computer.
Get and run as many anti-virus programs as possible, and see if any of them detect or remove the infection.
- If any of the scans say they have found something, follow the instructions to remove it and reboot the machine.
- Run “tcpview” again, and watch it for a while.
- If the problem recurs, you will probably have to reinstall the computer from scratch
Note: There are some bots that have their own TCP stacks. “tcpview” will probably not see activity from these.
Netstat (*NIX and Windows) [EASY-MEDIUM to use]
Netstat is standard on most versions of *NIX. Most versions of Windows also have it. The main difference is that netstat is a command line function that takes a single snapshot of current connections. In many versions of netstat, the most effective command line to use is:netstat -nap
This can show an active infection like this:Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 1 192.168.2.2:58246 18.104.22.168:25 SYN_SENT 12614/b.pl tcp 0 0 192.168.2.2:35843 22.214.171.124:25 ESTABLISHED 7996/ciwhcnsb.pl tcp 0 0 192.168.2.2:53051 126.96.36.199:25 TIME_WAIT - tcp 0 0 192.168.2.2:53623 188.8.131.52:25 TIME_WAIT - tcp 0 0 192.168.2.2:57816 184.108.40.206:25 TIME_WAIT - tcp 0 1 192.168.2.2:50531 220.127.116.11:25 SYN_SENT 12270/nxhbo.pl tcp 0 0 192.168.2.2:52437 18.104.22.168:25 TIME_WAIT - tcp 0 1 192.168.2.2:50140 22.214.171.124:25 SYN_SENT 9273/yzezihd.pl
- The “:25” at the end of “Foreign Address” indicates an outbound SMTP (port 25) connection.
- “NNNN/name” under “PID/Program name” is the process id and process name of the program.
- The large variety of “states” show that it is starting up/shutting down connections very quickly.
On Windows, use this in a DOS command window:netstat 5
This will give you a list of all network connections your machine
has open, that will refresh every 5 seconds until it is stopped. This will look very similar to the “netstat” output above.
- Microsoft and other familiar names will show up – they’re normal (from your browser, social media etc). “Akamai” is normal too.
- There will usually be a lot more lines than the above that do not have “:25”, those are other non-email connections. You might want to repeatedly pipe the output of “netstat -nap” through “grep :25” to only see the SMTP connections.
- “:25” on the local address means an inbound connection.
- “Many outbound port 25 connections” is the usual sign of infection.
NOTE: Depending on the infection, you often won’t be able to find the programs, because they start up, delete themselves from the file system, and continue running in memory.Back