DarkMailer YellSOFT DirectMailer Trojan

Yeah so a new version of trojan which send email out , i have seen such an infected server which was sending out 1000 of emails and had 100’s of processes opened the file name will be anything like .pl / .php / .cgi

I details below are from CBL

via FTP, they install perl scripts that do the spamming. CPanel and Plesk installations are the most common infectees, but others (including Apache) are also subject to this problem.

ANY web server capable of running Perl scripts (whether Windows, UNIX, Linux, FreeBSD etc) and permits FTP access for customers/users OR EVEN administrators to change their web pages is potentially a victim of this spamware.

You can often identify this (on UNIX/Linux systems) by doing “ps” (process status) and finding many (often 10 or more) long-running processes named “.cgi”, “.php” or “.pl” that are owned by the same user as your web server instance.

There are two main versions of this spamware:

In the first, it works by uploading a series of “.php” and “.pl” scripts via FTP (you’ll see this in your FTP logs), and then invoking them via your web server. Once the programs are invoked, they delete themselves from the file system, but remain running.

In the second, the spamware is a “cgi” Perl script that does not delete itself. It can be called anything – eg: “dm.cgi”, “test.cgi” etc.

It will most often be in the cgi-bin directory, perhaps that of an individual user, not the system-wide one.

You also may find various files like “from.txt”, “replyto.txt” etc. There is also a “sys” directory that contains a lot of “*.mx” files. This all has to be eradicated. Whether these exist depends on the configuration of the DarkMailer/DirectMailer spamware that is infecting your machine.

Dealing with this can be difficult, because as long as your FTP passwords can be cracked (or stolen from an infected web developer’s PC) it can come back at any time.

First: minimize FTP access. Secure/change all passwords. If you can do your customer uploads some other way, turn off FTP, or prevent FTP from writing directly into the web server’s document directory.

It is entirely possible that this spamware can be installed by other means (eg: FrontPage extensions), but we have not heard of it actually being done. Yet….

Second: Find the infection. If it’s the second version (“cgi”), you can find it, remove it and kill any running copies.

If it’s the first version, there’s nothing to find because it’s deleted itself, instead you have to stop the current processes running. The simplest way is to reboot the server. Or, if you can identify _all_ of the rogue processes, killing them should be enough. Just make sure they stay dead.

Third: Configure your system to absolutely prohibit any userid except root or your mail server’s userid (often “mailman” or something like that) from getting access to outbound port 25. In this way, even if you do get infected, the spamware can’t get email out to the Internet.

In the above links, take note of the references to “CPanel/WHM’s SMTP Tweak” and “CSF SMTP_BLOCK” – these are both patches/addon hacks to CPanel that can implement port 25 restrictions. There are many other ways to accomplish this for other web servers, for example, IPTables on Linux, PF on FreeBSD etc.

The Microsoft MSRT (Malicious Software Removal Tool) stands a good chance of being able to find/remove the malicious software. If you can find which machine[s] the malware is on.