Some weeks ago one of my customers first WAN IP (used for mail-out) was listed in a spam blacklist. SMTP internet-traffic was only allowed for the mailservers and there was no deny-packet for tcp 25 in the network logs. So I thought a bot used an Outlook client for spaming but I was wrong. Spamhaus.org XBL said, that the entry comes from cbl.abuseat.org:
One hour after the blacklisting, clb.abuseat.org said, that this IP is infected with ZBot:
There were going connections to IP 220.127.116.11, a sinkhole for the ZBot. When you do a reverse DNS lookup you will see the name entry “this-domain-is-sinkholed-by.abuse.ch”. So this IP was once ago a real ZBot Command and Control Server (C&C). The provider or Spamhaus changed this to a sinkhole to find infected devices who are connecting to this IP. The server receives the packets like “Hello I’m a infected ZBot client, please tell what I have to do” but the server replies with a “connection refused”. After this, the sinhole tells spam-blacklists that the source IP of the packet is infected with Zeus Bot and your IP will be listed in a blacklist. To make this more visual, I made a Visio drawing:
I searched via shell command for the IP 18.104.22.168 in the packetfilter.log placed in /var/log/:
more /var/log/packetfilter.log | grep 22.214.171.124
with this command, we found the infected notebook. You can remove the ZBot / Zeus Bot with Norton Power Eraser, but the better solution is to reinstall the complete operating system. You can finde more information about the ZBot here at the Symantec website.