Re: "Stealth" Agobot/Gaobot?

[Brian Eckman <eckman () UMN EDU>]

Jeff Kell wrote:
> Twice today I have seen indications of Agobot infections.  As has been
> my usual procedure, I nmap the beast, try nbtscan for NetBIOS info, then
> shut down the port.  But nmap indicates nothing other than 135/139/1025
> and the scanning stops.
>
> Is this a new "stealth bot" that shuts down or sleeps for awhile if it
> detects a scan?
>
> This is getting creepy.

Jeff,

The new variant "W32/Gaobot.worm.ali"
(http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006)
has a function in it called do_stealth that is followed up with the
description "Bot - Enable Stealth".

I believe that answers your question and confirms your suspicions.

<humor mode="on">

I'll point out that I can't further verify how the do_stealth function
works because the malware because contains the following statement:

"***ATTENTION*** This software is protected under international
copyright laws. Any attempt to dissassemble or alter this file is a
violation of international copyright law. The software is NOT intended
to be a virus or trojan."

I wonder what it's intention is then? :-)

I also wonder what the ramifications are for redistributing this
copyrighted software. Perhaps the author will file "John Doe" lawsuits
against IP addresses infected with this worm? Remember, copyrighted
material does not need to explicitly state that you can't redistribute
without permission. These MP3s and movies that people get sued for
trading don't have those clauses in them...

</humor>

Anyway, I've only ran strings on it so far and did not "dissassemble"
it, so hopefully the FBI and/or Interpol doesn't come take me away now...

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.