My Mom's PC has been turned into a botnet drone

[PNWDweller]

Let's get a little background -

XP Home edition SP3 fully patched and Avast Antivirus running along with Super Anti-spyware. The age of the install was well over 4 years old and the system had been screeching to a halt quite often. We ran some initial virus scans on the system and nuked about 34 infections. In doing this, my Mom had used Malwarebytes and found the viruses which Avast never saw or found. It also reported several registry errors 1,100+ which she took care of. After doing the scan/clean, her computer was still sending out emails which I will explain below:

She has DSL for her ISP and MSN for her primary account email address ([email protected] for example). The bot is pulling the email addresses she sends to and mass emailing them links to Viagra sites with people's names in the subject.

Last Saturday, I went over to her house to do a little housekeeping on the computer. We ended up re-installing the OS for a couple of reasons, even though it was running XP HOME SP3, it had been quite clogged up over the past few years with old programs which were no longer being used, probably about 2,000 photos that my late father took before he passed and other stuff all scattered across the drive. Her computer is a Dell which is about 5 years old probably (Dimension 4500s), and even though, it would run Vista probably OK, I didn't see any reason to do so at this time for her. Windows 7 is out of the question for her as she doesn't want to put any more $$$ into a system she is intending on replacing here in the next year or so. Anyway, I slapped XP PRO SP3 that I had a spare of and we went about our merry way of placing pictures and files where they could be found in an organized fashion. This time around, I installed Spybot S&D (to help her monitor the startup entries as well as registry changes),Avast again, and modified her hosts file to secure the browsers some. (Not much, but a little bit helps) Before anyone says anything about XP PRO vs Home, let me just say I chose this method over her restore CD's which would have installed bloatware and other crap in the system which I would have had to clean anyway later on.

Fast forward to today - This morning, I get the same emails again from her MSN account and this leads me to think that it isn't a virus per se, but some hacker probably port scanned her computer and got in, or her MSN has been compromised somehow. As of this morning, I told her to change her MSN password immediately and also change her IP address by rebooting her DSL and computer. Told her to call her ISP if it doesn't change the IP address.

Am I right in assuming at this point that one of her ports was compromised or the MSN account was compromised?

[ilev]

The best advice I can give you is to format your mom's PC and install the free Linux ubuntu. For Internet, mail, audio, video, office.... it's more than enough, and all these applications come build-in and for free. And, she will be free from viruses, Trojans, botnets.....

[PNWDweller]

Liev -

I don't think Linux would be a good solution for her. As much as some of us prefer the *nix variants, not everyone does. :)

[Colin-uk Veteran]

probably a port.

do you have a router or a software firewall installed? that would probly be the first thing to add if there isnt one.

I would keep an eye on the startup items on the machine too.

also tell her not to open emails from people she doesnt know and not to click and links on the web that dont look legit.

[carmatic]

hmm, i dont understand... how can a port with no programs listening on it be a point of vulnerability??

you said that you were receiving spam messages from her msn account, thats not conclusive to the computer being part of a botnet, i thought all it meant was the password was compromised and needed changing?

[+jamesyfx Subscriber²]

I'm so out of touch. I thought this thread was Transformers related. :no:

Anyway. I would stop using the computer for now, disconnect it from the internet at least. How about upgrading the OS to Vista or 7? UAC would be handy.

[PNWDweller]

probably a port.

do you have a router or a software firewall installed? that would probly be the first thing to add if there isnt one.

I would keep an eye on the startup items on the machine too.

also tell her not to open emails from people she doesnt know and not to click and links on the web that dont look legit.

She is internet smart when it comes to emails from people she doesn't know. No router, but I am going to be putting a firewall on there today probably and forcing an IP change even if I have to call her ISP to do it.

[Colin-uk Veteran]

hmm, i dont understand... how can a port with no programs listening on it be a point of vulnerability??

you said that you were receiving spam messages from her msn account, thats not conclusive to the computer being part of a botnet, i thought all it meant was the password was compromised and needed changing?

maybe he means malware installed by people running a botnet.

[TheBlueRaja]

Just because an e-mail looks like its from your mums account, it doesnt mean that it has actually come from her account.

Spammers can make things look like they have come from a particular account when its not the case.

Look at the e-mail haeder and compare to to a legitimate one, this should tell you if they are coming from the same place or if they scammer has simply spoofed her e-mail address.

[ilev]

Liev -

I don't think Linux would be a good solution for her. As much as some of us prefer the *nix variants, not everyone does. :)

You can't know before you try with a LiveCD.

[Roger H. Veteran]

What about her password for MSN? Are the emails being sent from her Outlook Express/Windows Live Mail and therefore would show up in her "Sent Items" folder or did the person just use a keylogger to get her MSN password and POP3 into her account to send all the emails they want from his or other machines out there in the world?

[PNWDweller]

I did look at the headers, the legit email is showing MSN's email servers.

The other one is coming in from Romania:

http://www.trustedsource.org/query/85.121.24.56

This is based on the following I got from the mail headers:

X-Originating-IP: [85.121.24.56] - SPAM Mail

X-Originating-IP: [65.54.190.102] - LEGIT MAIL

I am aware that they can spoof an email address from, it is certainly easy to do. The other thing though is somewhere along the line, her account has to have been compromised on MSN or her computer in the form malware, otherwise, they would have no clue as to who to send to in her address book. I am going on the assumption at this point that they have retained the email addresses in their system to do this, or they are getting in via an open port on her system to do this with no memory of email addresses.

Based on the theory that they are spoofing the email address, wouldn't it be possible that they could always harvest the email addy's from her computer and then send through a series of tunnels to further mask it?

[Colin-uk Veteran]

if the emails were sent via a series or other servers then it would show in the mail headers.

sounds like something just copied the address book on the PC and the mails were sent from romania, not your mums pc, and if thats the case, theres not much you can do once they have your email address. although this does open up the possibility that they obtained your address from elsewhere if there is no connection to your mums pc and the spam email. (unless a number of other users in her address book also recieved the same email).

[sweetsam]

Make sure there is a good antivirus and firewall installed. I would recommend comodo firewall along with MSE. Once an email address is on a spam list it will continue to receive spam. It could also be used as a fake from address. So a spam mail from your mom's email address is not surprising considering the fact that her computer was compromised.

[PNWDweller]

if the emails were sent via a series or other servers then it would show in the mail headers.

sounds like something just copied the address book on the PC and the mails were sent from romania, not your mums pc, and if thats the case, theres not much you can do once they have your email address. although this does open up the possibility that they obtained your address from elsewhere if there is no connection to your mums pc and the spam email. (unless a number of other users in her address book also recieved the same email).

Yeah, I know I can clearly see everyone else's email address included in mine which are coming from the spammer's email. The fun part is that I have three that she can email to and only two have been hit so at least one is safe...for now...

So now, I will be putting a firewall on there to sort this out for in the future. Thanks for your feedback!

[Colin-uk Veteran]

ah ok, thats good, no probs, hope you can get it sorted :)

[+John Teacake MVC]

I haven't read the whole thread as I am going out but I use HostsMan (Google It). It is essentially a blocklist for your HostsFile. If a PC did ever get infected it would stop it resolving any of the known domains.

[Tha Bloo Monkee]

Change your passwords for starters.

[Panacik]

Let's get a little background -

XP Home edition SP3 fully patched and Avast Antivirus running along with Super Anti-spyware. The age of the install was well over 4 years old and the system had been screeching to a halt quite often. We ran some initial virus scans on the system and nuked about 34 infections. In doing this, my Mom had used Malwarebytes and found the viruses which Avast never saw or found. It also reported several registry errors 1,100+ which she took care of. After doing the scan/clean, her computer was still sending out emails which I will explain below:

She has DSL for her ISP and MSN for her primary account email address ([email protected] for example). The bot is pulling the email addresses she sends to and mass emailing them links to Viagra sites with people's names in the subject.

Last Saturday, I went over to her house to do a little housekeeping on the computer. We ended up re-installing the OS for a couple of reasons, even though it was running XP HOME SP3, it had been quite clogged up over the past few years with old programs which were no longer being used, probably about 2,000 photos that my late father took before he passed and other stuff all scattered across the drive. Her computer is a Dell which is about 5 years old probably (Dimension 4500s), and even though, it would run Vista probably OK, I didn't see any reason to do so at this time for her. Windows 7 is out of the question for her as she doesn't want to put any more $$$ into a system she is intending on replacing here in the next year or so. Anyway, I slapped XP PRO SP3 that I had a spare of and we went about our merry way of placing pictures and files where they could be found in an organized fashion. This time around, I installed Spybot S&D (to help her monitor the startup entries as well as registry changes),Avast again, and modified her hosts file to secure the browsers some. (Not much, but a little bit helps) Before anyone says anything about XP PRO vs Home, let me just say I chose this method over her restore CD's which would have installed bloatware and other crap in the system which I would have had to clean anyway later on.

Fast forward to today - This morning, I get the same emails again from her MSN account and this leads me to think that it isn't a virus per se, but some hacker probably port scanned her computer and got in, or her MSN has been compromised somehow. As of this morning, I told her to change her MSN password immediately and also change her IP address by rebooting her DSL and computer. Told her to call her ISP if it doesn't change the IP address.

Am I right in assuming at this point that one of her ports was compromised or the MSN account was compromised?

Scan YOUR machine and make sure your not infected first, as sometimes you will get these emails if the infection is at your end.

Secondly, change your mums passwords on her email.

Lastly, it is most likely that your mums email address has been harvested, possibly long with your own, either from someone elses email account or from the net somewhere.

The best advice I can give you is to format your mom's PC and install the free Linux ubuntu. For Internet, mail, audio, video, office.... it's more than enough, and all these applications come build-in and for free. And, she will be free from viruses, Trojans, botnets.....

No. If we told all users to do that, then we wouldnt be helping, we would just be a completely fanboy site.

lets stick to helping him sort the problem, rather than completely skitching around it.

[ilev]

Scan YOUR machine and make sure your not infected first, as sometimes you will get these emails if the infection is at your end.

Secondly, change your mums passwords on her email.

Lastly, it is most likely that your mums email address has been harvested, possibly long with your own, either from someone elses email account or from the net somewhere.

No. If we told all users to do that, then we wouldnt be helping, we would just be a completely fanboy site.

lets stick to helping him sort the problem, rather than completely skitching around it.

May I disagree. His mom isn't a tech user. He may fix the problem for now , but using Windows will bring new issues each week on someone that probably can't manage a secure Windows PC. Next thing you know, she will be blocked from the Internet by Microsof's Quarantine program .

For securing this PC he needs to install and maintain a router with firewall well configured which it's firmware is updated at least on monthly basis, a software firewall, 2 anti-virus applications, one with real-time protection and one run-on-demand, 2 maleware removal applications... regularly updating installed applications.....

Replace all this with a linux PC and you have 0 maintanace and not a drop in usability.

[Growled Member]

Replace all this with a linux PC and you have 0 maintanace and not a drop in usability.

Exactly. Mom will probably never know the difference but you sure will.

[carmatic]

Next thing you know, she will be blocked from the Internet by Microsof's Quarantine program .

what is this quarantine program that you speak of?

For securing this PC he needs to install and maintain ?a router with firewall well configured which it's firmware is updated at least on monthly basis, a software firewall, 2 anti-virus applications, one with real-time protection and one run-on-demand, 2 maleware removal applications...

0_o

regularly updating installed applications.....

thats the only part that i can agree with...

[PNWDweller]

First - My Mom is not a techie.

Second - My Mom is comfortable in the whole Windows environment

Third -I am not a fanboy concerning Windows, Linux, or Mac OS X. I use them all. in fact - my main system is Snow Leopard on a true iMac - Not hackintoshed, My laptop runs Mint Linux and when needed, I run Windows in bootcamp. So, I don't play favorites.

Liev - are you seriously thinking that within a week, that Windows is going to be compromised again, just because it is Windows? That sounds more like a Linux evangelism statement more than anything.

My solution is going to be installing a hardware firewall on her internet connection. No need to run dual antivirus systems or dual malware removal systems. One is enough and any more than that is just a foolish idea.

[+BudMan MVC]

Well both sp2 and sp3 both have software firewalls that should of protected here from worms and such, and would assume you had fully patched the machine? When you say you redid it - what did you install exactly? Was sp3 on it from the get go - or did install xp gold and then have to upgrade to sp3? Was it connected to the net at this time? If so before you got the software firewall up and running its quite possible it could of gotten infected from the noise out there on the net.. I would never suggest someone plug directly into the public net without a firewall running on their box.

Just take a look at the survival time graph --> http://isc.sans.org/survivaltime.html

So sure it possible for an unprotected/unpatched machine to become infected within a few minutes.

It also could be true that your mom loves to click on the bouncing monkey to win it big ;) Users are normally the weakest link when it comes to computer security.

I agree with you she should be behind a nat router for sure -- how is she not at this day an age.. You really can not get true dsl modem any more - so that leaves cable. Or a really really old dsl modem or gateway that was put into bridge mode?

Vs having to reinstall her machine every so often and worried about the box being compromised because she clicked on something shiny that popped up, etc. You might want to look into something like steady state that would reset her box to exactly how you had it configured on reboot, etc.. This would prevent her from installing nonsense/malware -- atleast for any amount of time.. ie next reboot. Since your running XP you could also look into sandboxie to keep here web browsing isolated, and again changes reset on restart.

As to an email from her msn account - without seeing the headers is hard to know if it came from her actual msn account, ie compromised or just spoofed. But sure its possible here msn account was hacked.. Or a key logger sent here info, if in fact here msn account was compromised I would suggest you double check it it for autoforwards -- its common for a compromised account to have autoforwards placed in them so that they can get other passwords and be informed of changes, etc. etc.

Keeping your computer challenged friends and family from infecting themselves within minutes of you leaving them alone with their machines can be a full time job ;)

[Nagisan]

Windows 7 is out of the question for her as she doesn't want to put any more $$$ into a system she is intending on replacing here in the next year or so.

I just have to ask, why is 7 out of the question? When she has the money to rebuild her system to replace the current one, tell her to come to you. Then put some parts together that will give her better price:performance than any pre-built would. If she gets Windows 7 now, you will be able to simply disconnect the old machine and install 7 on the old machine without spending any additional money.

So, buy 7 now, get better security, continue to use it in a year or so when she replaces her current system. No money lost as you are not replacing the OS at all. That is, assuming you build your own machines when possible, and would be willing to do so for your mom to help save her some money.