TR Forums

I opened an email from an old friend a few weeks ago. It was plaintext spam about inkjet carts with a link at the bottom. I'm sure he didn't sent it knowingly and I silently chided him for not being more careful. So, of course, the following day I get dozens of bounced messages in my Inbox about undeliverable messages. They're all sent to out-of-date addresses in my contact list. Big sigh.

I'd heard about trojans being embedded in plaintext, and I guess I got one. Can anyone offer some advice on how to deal with this? Best case would be to find the source and get rid of it, but I can live with just an outgoing filter to prevent spamming all my friends.

Running windows 7, Office suite (Outlook), and MSE behind the standard DSL modem and Linksys with dd-WRT firmware.

I've heard of making the first entry in your contact list have a badly formed E-mail address so that it tosses an error or asks for confirmation before continuing as a way to slow down an auto-mailer. I am assuming that is what you are asking for because you already know about virus scanners and anti-malware. Right?

If you know you're infected with something, you *really* don't want to leave it there. It may also contain a backdoor or keylogger, which can lead to additional malware infections and/or theft of sensitive personal info.

Get a current copy of Malwarebytes Anti-Malware, and run a full scan with that.

If you don't have any AV installed, you'll also need to install Microsoft Security Essentials, and run a full scan with that.

If MBAM + MSE doesn't get rid of it, post back and we'll work up a Plan B.

And (perhaps most importantly), if you're absolutely certain this infection was e-mail based, and happened without opening any attachments, I *strongly* suggest you upgrade or switch e-mail clients. If the one you're using now is allowing you to get infected without even opening attachments, it is broken.

Edit: Duh, reading fail on my part -- you already said you were running MSE and Outlook. Well, give MBAM a go and see what happens.

sluggo wrote:

I opened an email from an old friend a few weeks ago. It was plaintext spam about inkjet carts with a link at the bottom. I'm sure he didn't sent it knowingly and I silently chided him for not being more careful. So, of course, the following day I get dozens of bounced messages in my Inbox about undeliverable messages. They're all sent to out-of-date addresses in my contact list. Big sigh.

I'd heard about trojans being embedded in plaintext, and I guess I got one. Can anyone offer some advice on how to deal with this? Best case would be to find the source and get rid of it, but I can live with just an outgoing filter to prevent spamming all my friends.

Running windows 7, Office suite (Outlook), and MSE behind the standard DSL modem and Linksys with dd-WRT firmware.

Who is your email provider?

Thanks for all the quick replies. I'm using Microsoft Security Essentials as my main security tool. When I first saw the problem I d/l'd MalwareBytes and ran full scans on the system with both it and MSE. They each found a couple of tracking items, but MSE also found one "Medium" and two "Severe" items. The Medium and one of the Severe items were in areas that are not executed (basically repositories of client data that has been spared off long ago), but the other "Severe" was found in a file I had downloaded and executed. File Commander (a Norton Commander clone), apparently came pre-loaded with something called TrojanClicker:Win32/Yabector.A. This was apparently a zero-day vector, as this zip file was last opened about six months ago and I've been using MSE for a couple of years now. There were no warnings at the time I opened the file.

I've run full scans several times over the last few weeks and thought the installation had been cleaned, but the bounced message showed up again yesterday, prompting my post.

My ISP is ATT/Yahoo.

Below is a redacted copy of the typical bounce message. Greek to me. My ISP is ATT/Yahoo, but my domain is pacbell.net (from long ago). I modified the attached link with an extra "/" to make it unclickable.

----------------------------------------------------------------


Sorry, we were unable to deliver your message to the following address.

<PERSON ON MY CONTACT LIST WITH NOW INVALID ADDRESS>:
Remote host said: 550 5.7.1 <PERSON ON MY CONTACT LIST WITH NOW INVALID ADDRESS>: Recipient address rejected: User validation returned unknown user [RCPT_TO]

--- Below this line is a copy of the message.

Received: from [98.139.44.107] by nm10.access.bullet.mail.sp2.yahoo.com with NNFMP; 02 Nov 2011 04:51:49 -0000
Received: from [98.139.44.77] by tm12.access.bullet.mail.sp2.yahoo.com with NNFMP; 02 Nov 2011 04:51:49 -0000
Received: from [127.0.0.1] by omp1014.access.mail.sp2.yahoo.com with NNFMP; 02 Nov 2011 04:51:49 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: [email protected]
Received: (qmail 86730 invoked by uid 60001); 2 Nov 2011 04:51:49 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pacbell.net; s=s1024; t=1320209509; bh=rQfCzYBMXVPPwDAPgTM1OlqProjflmsfeuMpVdCKkIk=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=VyQUWmhdUZQD/8y5WFdDVHWs35I5cLe5tKvvoxiyvHr24oQPLdjD7piCb7fv2CuqBOrr9FB3C32Rnb5/7nEyMcOHzveKKhecuC++7UGqm/R+mYDqb/VUBzi8GASP4rcnAhz8fMJEROGVIsefyeb/vSzOQWSG73HKmTtjZ8EeqPY=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=pacbell.net;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
b=o+Z40HWXg1aXKrTmHZSF+qICA8IRebEBqNlwFOX8b0HJHeV3cbv/Bxh4hi1Bve9bk5lB1y6WS0OiL76L4eTzYQtyqGfQuTB1/v3hNCUl6yc1FnMaos/hqUCjRw5Xf0mBGX/0mkk3V2IwpaFzSHCuI0BOohfeIYxIcDDzg1eioL0=;
X-YMail-OSG: qDMG920VM1k0BGJkguAHnboSWMNf0Wr07TQPHC0.luMTnt8
V2Km1fTp8ja5K_a9dW6SCSbVp_IpRmx82ETLreaGFMaE5x2w9SZBobqYCJs0
_mpI14fw4caF9ALRMkg3AemXUqne65ZTr5jCkucJ0yfBmId3OjT2A0EZs2lC
t.Qer6c9GUSA_cc_F_GyuEX1ujGPo0KjTT5B6NtREkALEsvoSrcDprNuayhZ
xQyccxac0f32vCkd_dNmOJdtwLCxIXe2QbcxasqsX86oc1kt3iLOxgEqlLo9
hk7dBkKaSptm16vLSZ4VgnhKEbPncNK7WiWRiRsKHtP24MEQ8NGLUdW.TC.v
vtEm54HpxxzUzwRnItwlVKY3kP_Z2jqlPqRaz.XJ9UixhFrKEUmCgzPg8_xo
yW3ienH7ZpWGsaLRA0kOOjttLyv5AdW5an613yD4ocZMUbjVmc66w5BDA2oh
ryeSrSOGJCdytYETG.YdaZRzdevBm.aJ25Pq55v87xF55zWwlEeV9dKnk008
8YjxVbwLw2ltGJKFOUFD6I3pQ3FQUXEQnoCfj46_OhlwrYw13
Received: from [113.193.182.194] by web83403.mail.sp1.yahoo.com via HTTP; Tue, 01 Nov 2011 21:51:49 PDT
X-Mailer: YahooMailWebService/0.8.114.317681
Message-ID: <[email protected]>
Date: Tue, 1 Nov 2011 21:51:49 -0700 (PDT)
From: ME <MY CORRECT EMAIL ADDRESS>
Subject:
To: SEVEN OTHER ADDRESSES FROM MY CONTACT LIST
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

.. http:///ebrahimbay.com/friends.php?atopicid=8xsy

Might want to get something that is better at detecting/removing rootkits. I'm not sure what's good these days, I haven't had to deal with a rootkit in a while.

Another possibility is that you're actually not infected any more, but the trojan grabbed a copy of your address book and uploaded it to someone who is now sending spam with a spoofed source address. A careful comparison of the routing headers of a legit message sent by you versus one of the bounces might help determine whether this is the case.

I suggest ditching Outlook unless you need the MS Exchange integration.

Edit: OK, you just posted one of the bounces. Please e-mail me directly (content of message doesn't matter, can be empty), so I can compare the headers against those of a legit e-mail coming from you.

Okay, found something important. The contact list this mailer is pulling from is the one I have online at Yahoo's servers, NOT the one I keep locally on my Outlook installation. I looked at a few more messages and found many addresses that not kept locally, but are on the Yahoo mail account online.

Do I start screaming at Yahoo? Cancel my account? Log in with another machine and change passwords? All of the above?

just brew it! wrote:

Please e-mail me directly (content of message doesn't matter, can be empty), so I can compare the headers against those of a legit e-mail coming from you.

Done!

sluggo wrote:

Okay, found something important. The contact list this mailer is pulling from is the one I have online at Yahoo's servers, NOT the one I keep locally on my Outlook installation. I looked at a few more messages and found many addresses that not kept locally, but are on the Yahoo mail account online.

Do I start screaming at Yahoo? Cancel my account? Log in with another machine and change passwords? All of the above?

Sounds like your Yahoo account got hacked...

Edit: I wonder if there was some sort of wider breach at Yahoo. Just a couple of hours ago I got a spam from someone I haven't heard from in years. They have a Yahoo e-mail address.

My Yahoo mail account has been hacked twice in the past month or so. I use a very strong password, so I don't understand how this is happening. When I looked at the login history on my yahoo account it showed one login from Thailand and one from Netherlands (probably proxies). The first time it happened, I immediately changed my password, but it happened again a few days later. I changed my password again and this time I did not update Blackberry with the new password. No problems in the past couple weeks.

Did the OP have the Blackberry connection as well?

JJCDAD wrote:

My Yahoo mail account has been hacked twice in the past month or so. I use a very strong password, so I don't understand how this is happening. When I looked at the login history on my yahoo account it showed one login from Thailand and one from Netherlands (probably proxies). The first time it happened, I immediately changed my password, but it happened again a few days later. I changed my password again and this time I did not update Blackberry with the new password. No problems in the past couple weeks.

Did the OP have the Blackberry connection as well?

I just got to the bottom of it. I went looking through my Yahoo account and there was a new email username in the area reserved for "Work" mail accounts, someplace I would never have bothered to look had I not been looking for something. The new email subaccount was [email protected]. I am not Edwina. I deleted the user and immediately changed my password to something stronger (and darn, 12345 was so easy to remember!). =)

And yes, there were some services enabled that I did not enable, including Palm Synergy.

Sounds like it might be time to get some distance between me and Yahoo.

sluggo wrote:

Sounds like it might be time to get some distance between me and Yahoo.

And start using stronger passwords...

just brew it! wrote:

sluggo wrote:

Sounds like it might be time to get some distance between me and Yahoo.

And start using stronger passwords...

Well, the "12345" reference was a joke, really, but I guess the seven random alphanumerics made for a weak password. The new one is twelve characters.

Funny how I immediately assumed that my network was less secure than Yahoo's.

Seven random alphanumerics is pretty good if the password hashes are secure (I'm assuming Yahoo isn't stupid enough to store the plaintext passwords anywhere). But if someone has gotten ahold of the password hashes somehow, then the passwords can theoretically be brute forced. If they're not salting their hashes, a brute force crack isn't even needed (precomputed "rainbow tables" can be used to cut the computation time by many orders of magnitude versus a brute force attack).

A more plausible scenario is that some machine you've used to log in to your Yahoo account is infected with a keylogger that captured your keystrokes when you entered the user name and password. Have you, at any time over the past few months, logged in to the Yahoo account from a PC you don't control/trust?

HTTPS only protects you from interception while the keystrokes are in transit over the 'net (i.e. once they leave the PC). It does nothing to protect against keylogger/rootkit type malware on the PC being used to log in to the web site.