Anatomy of a New SpamBot
Posted by: badanov
We haven't had a nice Unix story in a while, so here goes.
As always learning lessons is the most important part of handling incidents. Anti-virus doesn't do much for you when the malware is not detected obviously. So we should learn not to place all our trust in that channel for detecting malware. Robert detected this piece of malware through an IDS and correlation of logs. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. The blocking of the traditional sites using a hosts file is also a good thing to build monitoring for. If it gets used you know there's something going on and a second look wil be well spent effort.
We run Windows less and less as time goes by. When we were working for our family's company we did have a WinXP SP2 box, in which we ran the Windows Firewall, a silly piece of software which will block inbound connections but not the outbound ones.
The lesson here is simple: Spam is a terrible plague. And Win XP having incorporated raw Unix internet sockets into its kernal has help tremendously with the spread of spam. If you want to help stop spam and spambots, kill every outbound connection you don't need and those you do need constrict them to the specific sites you use.
On every FreeBSD box we use we use a default deny ruleset, which means nothing goes in or out, not even via the local loop ( lo0 ) without a specific rule permitting it. While that may not be feasible on Windows type firewalls it is still a good rule of thumb.