URGENT: bot net with keylogger

[REN-ISAC <dodpears () INDIANA EDU>]

Dear all,

Security engineers at Indiana University have been involved in local discovery and investigation with others regarding 
a rapidly growing and particularly threatening bot network. Of URGENT CONCERN is that the client contains a keystroke 
logger. All keystrokes on the compromised machines are transmitted to a controlling IRCD. We've been able to observe 
traffic to one of at least 15 controlling IRCDs. That one IRCD was in control of over 12,000 clients. On the face, it 
appears that the network grew to that size in much less than one day, and 12,000 may represent just 1/15th of the 
network. We're in process of collaborating with other groups in analysis. There's no information to share regarding 
infection vector just yet. In the meantime, a useful and highly recommended response is for institutions to immediately 
locally block the DNS name that clients use to contact the IRCDs: et.bestexploiters.com. If you're able to log DNS 
requests you should be able to identify local compromised hosts. The REN-ISAC will be directly contacting the 
institutions home to observed compromised machines, and will provide host-specific information.

Regards,

Doug Pearson
Director, REN-ISAC
http://www.ren-isac.net
+1-812-855-3846
+1-812-325-3846 cell

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.