Educause Security Discussion mailing list archives
Re: "Stealth" Agobot/Gaobot?
From: Brian Eckman <eckman () UMN EDU>
Date: Thu, 29 Apr 2004 12:06:38 -0500
Jeff Kell wrote:
Twice today I have seen indications of Agobot infections. As has been my usual procedure, I nmap the beast, try nbtscan for NetBIOS info, then shut down the port. But nmap indicates nothing other than 135/139/1025 and the scanning stops. Is this a new "stealth bot" that shuts down or sleeps for awhile if it detects a scan? This is getting creepy.
Jeff, The new variant "W32/Gaobot.worm.ali" (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125006) has a function in it called do_stealth that is followed up with the description "Bot - Enable Stealth". I believe that answers your question and confirms your suspicions. <humor mode="on"> I'll point out that I can't further verify how the do_stealth function works because the malware because contains the following statement: "***ATTENTION*** This software is protected under international copyright laws. Any attempt to dissassemble or alter this file is a violation of international copyright law. The software is NOT intended to be a virus or trojan." I wonder what it's intention is then? :-) I also wonder what the ramifications are for redistributing this copyrighted software. Perhaps the author will file "John Doe" lawsuits against IP addresses infected with this worm? Remember, copyrighted material does not need to explicitly state that you can't redistribute without permission. These MP3s and movies that people get sued for trading don't have those clauses in them... </humor> Anyway, I've only ran strings on it so far and did not "dissassemble" it, so hopefully the FBI and/or Interpol doesn't come take me away now... Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- "Stealth" Agobot/Gaobot? Jeff Kell (Apr 27)
- <Possible follow-ups>
- Re: "Stealth" Agobot/Gaobot? Mark Wilson (Apr 27)
- Re: "Stealth" Agobot/Gaobot? Brian Eckman (Apr 27)
- Re: "Stealth" Agobot/Gaobot? Brian Eckman (Apr 29)