Educause Security Discussion mailing list archives

Re: Phatbot

From: Mike Iglesias <iglesias () DRACO ACS UCI EDU>
Date: Fri, 19 Mar 2004 14:09:20 -0800

I haven't had one on my network (crossing fingers), but looking at those
knocking on the door has helped a bunch. Phatbot (now called Polybot by
most AV companies) tries to spread itself via a RPC related
vulnerability via port 1025/tcp on remote hosts (among other methods).
It either favors or exclusively tries to spread within the /8 network
the infected host is on. Therefore, a rule looking for outbound SYN (no
other flags set) packets to destination port 1025/tcp on addresses in
the same /8 is a good start. An infected host will send quite a few of
these packets in a minute. If you see a host sending one or two of them
over a several minute span, it's not Polybot.


The infected systems on our network probed the /8 about 50-60% of the time.
The rest of the probes appear to be destined for AOL's 172.128.0.0/10
network.


Mike Iglesias                          Email:       iglesias () draco acs uci edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: Phatbot, (continued)
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)