Becoming a spammer: hands-on experience

Reading the stories of Windows workstations becoming members of a spam botnet becomes way less enjoyable when you’re faced with the same problem (one of my kids managed to install a Trojan). It took me a day to clean the infected computer (it would have been easier to just format it, but the repeated installation of the Windows XP + Office software is so boring), but I’ve learned a few interesting networking lessons in the process that I’ll document in the next days.

Let’s start with an easy one: once you discover one of your workstations is opening a lot of SMTP sessions, immediately block it on the firewall router (this access list will also help you verify that you've removed all spam-related infections). I’ve used the simplest access list possible; it blocks the outbound SMTP sessions from the infected workstation.

ip access-list extended Inside
deny tcp host 192.168.200.198 any eq smtp log
permit ip any any
!
interface Vlan1
ip access-group Inside in

If you want a more sophisticated solution, you might log the outbound TCP sessions of the affected PC. The following access list blocks all outbound SMTP sessions and logs the SYN packets of outbound TCP sessions. DNS over UDP is allowed, but all other UDP is blocked. All other hosts are not affected (the permit ip any any at the end):

ip access-list extended InsideLog
deny tcp host 192.168.200.198 any eq smtp log
permit tcp host 192.168.200.198 any established
permit tcp host 192.168.200.198 any log
permit udp host 192.168.200.198 any eq domain
deny udp host 192.168.200.198 any
permit ip any any

Recent IOS releases support access list matching on individual bits in the TCP header. Using this functionality, you can match and log only TCP packets with SYN bit set (the rest of the TCP session is permitted due to permit ip any any at the end).

ip access-list extended InsideLog
deny tcp host 192.168.200.198 any eq smtp log
permit tcp host 192.168.200.198 any syn log
permit udp host 192.168.200.198 any eq domain
deny udp host 192.168.200.198 any
permit ip any any

1 comments:

  1. Nice beginning of a story! It reminds me the past while I did honeypot research and hunting the evil user getting pride of himself on the number of hosts he got in his botnet on IRC channels :)
Add comment
Sidebar