From:

Subject:
Date:
To:

mailsecurity@gmxnet.de
C427895983 Re: [bl] Please unblock!
Thu, March 13, 2014 9:00 am
acaba@astrac.rdsar.ro

Dear Mr Caba,
Your mail server is listed in Spamhaus XBL/CBL:
http://cbl.abuseat.org/lookup.cgi?ip=86.125.217.41
----IP Address 86.125.217.41 is listed in the CBL. It appears to be infected with a spam
sending trojan, proxy or some other form of botnet.
It was last detected at 2014-03-12 10:00 GMT (+/- 30 minutes), approximately 21
hours ago.
This IP address is infected with, or is NATting for a machine infected with the ZeuS
trojan, also known as "Zbot" and "WSNPoem".
ZeuS is a malicious software (malware) used by cybercriminals to commit ebanking
fraud and steal sensitive personal data, such as credentials (username, password)
for online services (email, webmail, etc.).
The infection was detected by observing this IP address attempting to make contact
to a ZeuS Command and Control server (C&C), a central server used by the criminals
to control with ZeuS infected computers (bots).
More information about the ZeuS Trojan can be found here:
Microsoft Malware Protection Center: Win32/Zbot
Symantec: Trojan.Zbot
McAfee Labs Threat Advisory: PWS-Zbot
You can try Kaspersky's Zbot killer to get this infection detected/removed. However,
we strongly recommend you to do completely re-install your operation system to get
this infection removed permanently.
This was detected by a TCP/IP connection from 86.125.217.41 on port 51743 going to
IP address 82.165.37.26 (the sinkhole) on port 443.
The botnet command and control domain for this connection was
"d65g.dw7g3.fefg934.info".
Behind a NAT, you should be able to find the infected machine by looking for
attempted connections to IP address 82.165.37.26 or host name
d65g.dw7g3.fefg934.info on any port with a network sniffer such as wireshark.
Equivalently, you can examine your DNS server or proxy server logs to references to
82.165.37.26 or d65g.dw7g3.fefg934.info. See Advanced Techniques for more detail on
how to use wireshark - ignore the references to port 25/SMTP traffic - the
identifying activity is NOT on port 25.
This detection corresponds to a connection at 2014-03-12 10:08:08 (GMT - this
timestamp is believed accurate to within one second).

These infections are rated as a "severe threat" by Microsoft. It is a trojan

downloader, and can download and execute ANY software on the infected computer.
You will need to find and eradicate the infection before delisting the IP address.
Norton Power Eraser is a free tool and doesn't require installation. It just needs
to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X,
Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in
each case. It probably works with many other infections.
We strongly recommend that you DO NOT simply firewall off connections to the
sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by
malware researchers. In other words, it's a "sensor" (only) run by "the good guys".
The bot "thinks" its a command and control server run by the spambot operators but
it isn't. It DOES NOT actually download anything, and is not a threat. If you
firewall the sinkhole addresses, your IPs will remain infected, and they will STILL
be delivering your users/customers personal information, including banking
information to the criminal bot operators.
If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you
which internal machine is connecting to them so that you can identify the infected
machine yourself and fix it.
We are enhancing the instructions on how to find these infections, and more
information will be given here as it becomes available.
Virtually all detections made by the CBL are of infections that do NOT leave any
"tracks" for you to find in your mail server logs. This is even more important for
the viruses described here - these detections are made on network-level detections
of malicious behaviour and may NOT involve malicious email being sent.
This means: if you have port 25 blocking enabled, do not take this as indication
that your port 25 blocking isn't working.
The links above may help you find this infection. You can also consult Advanced
Techniques for other options and alternatives. NOTE: the Advanced Techniques link
focuses on finding port 25(SMTP) traffic. With "sinkhole malware" detections such as
this listing, we aren't detecting port 25 traffic, we're detecting traffic on other
ports. Therefore, when reading Advanced Techniques, you will need to consider all
ports, not just SMTP.
Pay very close attention: Most of these trojans have extremely poor detection rates
in current Anti-Virus software. For example, Ponmocup is only detected by 3 out of
49 AV tools queried at Virus Total.
Thus: having your anti-virus software doesn't find anything doesn't prove that
you're not infected.
While we regret having to say this, downloaders will generally download many
different malicious payloads. Even if an Anti-Virus product finds and removes the
direct threat, they will not have detected or removed the other malicious payloads.
For that reason, we recommend recloning the machine - meaning: reformatting the
disks on the infected machine, and re-installing all software from known-good
sources.
WARNING: If you continually delist 86.125.217.41 without fixing the problem, the CBL
will eventually stop allowing the delisting of 86.125.217.41.
----Kind regards,

Mit freundlichen Gren

Konrad Meier
GMX MailSecurity
http://gmxnet.de/de/impressum
>
> Mail to: mailsecurity@gmxnet.de
> Email address: acaba@astrac.rdsar.ro
> Alternate address: all4jesus@gmail.com
> Subject: Please unblock!
> Your name: Eng. Andrei Caba
> Your company/provider: our own email server (astrac.rdsar.ro)
> Your IP address: * 86.125.217.41 *
> Your message: host mx00.gmx.net[213.165.67.99] refused to talk to me: 554-gmx.net
(mxgmx003) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address
is black listed. 554 For explanation visit
http://postmaster.gmx.com/en/error-messages?ip=86.125.217.41&c=bl
>
>