Menu
Reply
Highlighted
  • 18.33K
  • 1.05K
  • 7.88K
Very Insightful Person
Very Insightful Person
266 Views
Message 11 of 14
Flag for a moderator

Re: Outgoing SMTP failing - VM305

I just wanted to include the text of the email @GerardSweeney sent in his email to me to add context to my analysis here:

Hi, Tim.

Thanks very much for offering to do this.
I've attached a ZIP of the 4 PCAPs where anything actually showed up - all from my phone.

The two "After installing Outlook" ones are the hits I'm getting from my phone after I uninstalled GMail and installed Outlook.

Many thanks,
Gerard

The last line is important as it demonstrates that the Gmail App was not the source of the traffic - nor is it the Outlook App.  (BTW - Be aware that the Outlook App on Android and iOS does involve your mail being sent via third party servers when travelling to and from your phone, unlike Outlook on PC - but I digress).

Looking at the traffic we see traffic like this:

 

4	1.328389	104.47.49.33	192.168.137.189	SMTP	183	S: 220 DM3NAM05FT013.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 30 Oct 2019 22:23:39 +0000
6	2.758551	192.168.137.189	104.47.49.33	SMTP	91	C: ehlo ndsdbzrleecdxp.com
8	3.188385	104.47.49.33	192.168.137.189	SMTP	263	S: 250-DM3NAM05FT013.mail.protection.outlook.com Hello [81.105.141.155] | 250-SIZE 49283072 | 250-PIPELINING | 250-DSN | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250-BINARYMIME | 250-CHUNKING | 250 SMTPUTF8

 

Which is the malware talking to the Inbound mail server at Microsoft.  What's interesting with this one was just after the EHLO  This particular malware doesn't try sending the mail - instead it just shuts down the connection.

 

9	3.754286	192.168.137.189	104.47.49.33	TCP	66	51699 → 25 [ACK] Seq=26 Ack=315 Win=65535 Len=0 TSval=13560662 TSecr=516190605
10	9.268342	192.168.137.189	104.47.49.33	TCP	66	51699 → 25 [FIN, ACK] Seq=26 Ack=315 Win=65535 Len=0 TSval=13560981 TSecr=516190605
11	9.385668	104.47.49.33	192.168.137.189	TCP	66	25 → 51699 [ACK] Seq=315 Ack=27 Win=4405 Len=0 TSval=516196802 TSecr=13560981
12	9.401422	104.47.49.33	192.168.137.189	TCP	66	25 → 51699 [FIN, ACK] Seq=315 Ack=27 Win=4405 Len=0 TSval=516196819 TSecr=13560981
13	9.404521	192.168.137.189	104.47.49.33	TCP	66	51699 → 25 [ACK] Seq=27 Ack=316 Win=21750 Len=0 TSval=13560995 TSecr=516196819

 

Note: It's definitely the device at 192.168.137.189 that closes the connection with a TCP - FIN message

Note as well the ehlo is a fake FQDN

If you can't find the malware with tools such as Kaspersky - I'd consider saving any data/photo's that you want to keep and then doing a factory reset on the phone.

Tim

Edit - Are there any apps on the phone that you don't recognise, or one's that you do that required you to use the Allow install from untrusted sources setting?

I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more

Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks

Highlighted
  • 17
  • 0
  • 1
Tuning in
218 Views
Message 12 of 14
Flag for a moderator

Re: Outgoing SMTP failing - VM305

Hi, Tim.

I've gone through my phone, removing any and every app that I don't actually use 🙂

I'll try to fire up the monitoring laptop at home tonight, and see if that's made a dent.
Let's hope so - before going on the app hoovering, I'd been onto about my 7 or 8th malware detection app to no avail.
Which doesn't inspire confidence in those apps, really.

My thanks for your assistance in this.

0 Kudos
Reply
Highlighted
  • 17
  • 0
  • 1
Tuning in
190 Views
Message 13 of 14
Flag for a moderator

Re: Outgoing SMTP failing - VM305

The phone has been attached to the Wireshark PC for the last couple of hours, and there's been zero hits.
So hopefully all is well with the world.

Thanks again!

0 Kudos
Reply
Highlighted
  • 4.71K
  • 514
  • 1.73K
Very Insightful Person
Very Insightful Person
180 Views
Message 14 of 14
Flag for a moderator

Re: Outgoing SMTP failing - VM305


@GerardSweeney wrote:


Let's hope so - before going on the app hoovering, I'd been onto about my 7 or 8th malware detection app to no avail.
Which doesn't inspire confidence in those apps, really.


It is unfortunate the issue was not reported to one of the malware detection vendors for further investigation as that would have likely identified the app causing the issue and improved detection.

 

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

 Use Kudos to say thanks

 Mark as Helpful Answer if I've helped

0 Kudos
Reply