Educause Security Discussion mailing list archives
Re: Phatbot
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Fri, 19 Mar 2004 16:10:29 -0500
Has anyone seen hard information on characteristics of the traffic that would be a good marker distinguishing it from other valid traffic in netflow data, e.g. byte counts, etc. Doug Pearson REN-ISAC Indiana University At 11:02 AM 3/19/2004 -0600, Marty Hoag wrote:
Scott Weeks wrote:Hello Everyone, I see there're six IP addresses that the infected machines contact to do their "speed test". I suppose we could just monitor traffic to these addresses to find infected machines? Doing traceroutes to the URLs in the article gives the following list:Note that the IP addresses may change. That still might be a viable way to detect the infections but the list would be a lot longer than the one for just the host names. For example, I checked the Stanford host name just now and got: www.stanford.edu. 1H IN CNAME www.LB-A.stanford.edu. www.LB-A.stanford.edu. 4S IN A 171.67.16.68 and the 4 second time to live for the "A" record may indicate they do some load balancing or something - the next time I tried it was 171.67.16.54. www.xo.net returns four IP addresses at the moment with 15 minute times to live. Does anyone know if this critter uses the normal "resolver" for domain names on the PC? In other words, if your PCs point at one local DNS server for name resolution perhaps requests for the host names could be detected (assuming the names are what is in the code). The document at http://www.lurhq.com/phatbot.html does give some "Snort" signatures which look for the ending messages the worms FTP server sends out (e.g. "have a good infection") as well as P2P traffic. Marty131.113.213.132 140.114.72.8 171.67.16.66 207.155.248.63 130.89.1.16 212.227.147.70 Whatcha' think? scott : Another good web site. : http://www.lurhq.com/phatbot.html : http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html : follows: : Hackers Embrace P2P Concept : Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or : Denial-of-Service Attacks ===== ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
-- Doug Pearson; Indiana University; dodpears () indiana edu Phone: 812-855-3846; ViDeNet: 0018128553846 PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)