We’ve gotten some inquiries as to how to find users infected by the recent BBB/IRS/FTC/Proforma trojan scams on corporate networks where an IDS/IPS device that can detect the exfiltration traffic might not be in play.

If you keep logs of firewall/proxy or DNS server traffic, you may be able to spot infected users by traffic analysis. This activity has been going on since at least February, so it is prudent to go back in the logfiles at least until the beginning of 2007 when searching.

Frequent traffic to the following IP addresses may be a sign of an infection and data leakage from executives within the company:

 

Destination IP Address	Protocol/Port
203.121.69.232	TCP/80 or TCP/3128
203.121.69.233	TCP/80
221.1.143.74	TCP/80
221.1.146.146	TCP/80
221.1.150.241	TCP/80
221.1.153.61	TCP/80
221.1.159.234	TCP/80
221.195.42.67	TCP/80
66.49.158.172	TCP/80
67.19.167.20	TCP/80
70.87.90.226	TCP/80
83.103.227.41	TCP/12345 or TCP/12346

If you have detailed DNS server logs, another indicator you can look for is frequent attempts to resolve one or more of the following hostnames:

• business-complaints.com
• importtrenz.com
• mp0w3r2.webhop.net
• mp0w3r3.webhop.net
• premiersoccershop.ca
• rtx-ltd.com
• www.firegoods.com

This is not a complete list, but should cover at least one host from each of the recent scams. If you discover these addresses/hostnames in your logs, the next step is to investigate the internal system sending the traffic and determine if the user has previously received one of the phishing emails. If they have, it is likely that they have been infected since that time, and any information they have submitted to any website in that timeframe has been sent to the phishers. Firewall/proxy logs or Internet Explorer history files may be useful in determining to what sites data has been intercepted.

If the user has never received one of the emails, the traffic could indicate visits to another virtual host on the same IP address, but caution should still be taken to thoroughly investigate the source of the traffic. Some of the listed sites are legitimate sites which have been hacked to host the phisher’s backend code, so it could also indicate a normal access to the other areas of that website. The key to detecting the infection is seeing regular traffic to those sites, interspersed with visits to every other website.

If a machine is identified as being infected, it should first be cleaned of the infection (the recommended course of action being to reformat the infected workstation and restore from backups made prior to the infection date). Then any authenticated accounts should be checked for suspicious activity and all passwords should be changed.

There are many variants of the trojan installed by these phishing scams, and antivirus engines may not always detect any/all components of the trojan. If you are unsure how to determine where the malware might be located on a machine suspected of being infected, contact your MSSP for assistance in locating and remediating the threat.

This entry was posted on Monday, June 18th, 2007 at 9:16 am.

Share This Information | Detecting BBB/IRS/FTC/Proforma Trojan-Infected Users on Your Network SlashDot | del.ico.us | Digg it | Technorati | Reddit

Other SecureWorks Blog Categories: General (16) Links (7) Phishing (1) Research (55) Trojans (3)