Educause Security Discussion mailing list archives

Re: Phatbot

From: Doug Pearson <dodpears () INDIANA EDU>
Date: Fri, 19 Mar 2004 16:10:29 -0500

Has anyone seen hard information on characteristics of the traffic that would be a good marker distinguishing it from 
other valid traffic in netflow data, e.g. byte counts, etc.

Doug Pearson
REN-ISAC
Indiana University


At 11:02 AM 3/19/2004 -0600, Marty Hoag wrote:

Scott Weeks wrote:

Hello Everyone,

I see there're six IP addresses that the infected machines contact to do
their "speed test".  I suppose we could just monitor traffic to these
addresses to find infected machines?  Doing traceroutes to the URLs in the
article gives the following list:


  Note that the IP addresses may change. That still might
be a viable way to detect the infections but the list would
be a lot longer than the one for just the host names. For example,
I checked the Stanford host name just now and got:

www.stanford.edu.       1H IN CNAME     www.LB-A.stanford.edu.
www.LB-A.stanford.edu.  4S IN A         171.67.16.68

and the 4 second time to live for the "A" record may indicate
they do some load balancing or something - the next time
I tried it was 171.67.16.54.

  www.xo.net returns four IP addresses at the moment with
15 minute times to live.

  Does anyone know if this critter uses the normal
"resolver" for domain names on the PC? In other words,
if your PCs point at one local DNS server for name
resolution perhaps requests for the host names could
be detected (assuming the names are what is in the code).

  The document at http://www.lurhq.com/phatbot.html does
give some "Snort" signatures which look for the ending
messages the worms FTP server sends out (e.g. "have a good
infection") as well as P2P traffic.

  Marty

      131.113.213.132
      140.114.72.8
      171.67.16.66
      207.155.248.63
      130.89.1.16
      212.227.147.70

Whatcha' think?

scott


:  Another good web site.
:  http://www.lurhq.com/phatbot.html


:  http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html
:  follows:
:          Hackers Embrace P2P Concept
:          Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or
:  Denial-of-Service Attacks










=====

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


--

Doug Pearson; Indiana University; dodpears () indiana edu
Phone: 812-855-3846; ViDeNet: 0018128553846
PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)