Beruflich Dokumente
Kultur Dokumente
Subject:
Date:
To:
mailsecurity@gmxnet.de
C427895983 Re: [bl] Please unblock!
Thu, March 13, 2014 9:00 am
acaba@astrac.rdsar.ro
Dear Mr Caba,
Your mail server is listed in Spamhaus XBL/CBL:
http://cbl.abuseat.org/lookup.cgi?ip=86.125.217.41
----IP Address 86.125.217.41 is listed in the CBL. It appears to be infected with a spam
sending trojan, proxy or some other form of botnet.
It was last detected at 2014-03-12 10:00 GMT (+/- 30 minutes), approximately 21
hours ago.
This IP address is infected with, or is NATting for a machine infected with the ZeuS
trojan, also known as "Zbot" and "WSNPoem".
ZeuS is a malicious software (malware) used by cybercriminals to commit ebanking
fraud and steal sensitive personal data, such as credentials (username, password)
for online services (email, webmail, etc.).
The infection was detected by observing this IP address attempting to make contact
to a ZeuS Command and Control server (C&C), a central server used by the criminals
to control with ZeuS infected computers (bots).
More information about the ZeuS Trojan can be found here:
Microsoft Malware Protection Center: Win32/Zbot
Symantec: Trojan.Zbot
McAfee Labs Threat Advisory: PWS-Zbot
You can try Kaspersky's Zbot killer to get this infection detected/removed. However,
we strongly recommend you to do completely re-install your operation system to get
this infection removed permanently.
This was detected by a TCP/IP connection from 86.125.217.41 on port 51743 going to
IP address 82.165.37.26 (the sinkhole) on port 443.
The botnet command and control domain for this connection was
"d65g.dw7g3.fefg934.info".
Behind a NAT, you should be able to find the infected machine by looking for
attempted connections to IP address 82.165.37.26 or host name
d65g.dw7g3.fefg934.info on any port with a network sniffer such as wireshark.
Equivalently, you can examine your DNS server or proxy server logs to references to
82.165.37.26 or d65g.dw7g3.fefg934.info. See Advanced Techniques for more detail on
how to use wireshark - ignore the references to port 25/SMTP traffic - the
identifying activity is NOT on port 25.
This detection corresponds to a connection at 2014-03-12 10:08:08 (GMT - this
timestamp is believed accurate to within one second).