Re: URGENT: bot net with keylogger

[Doug Pearson <dodpears () INDIANA EDU>]

We can confirm the TCP port 8040. We have unconfirmed information from a third party:

- The file that carries the virus is C:\windows\system32\mssmgrd.exe which is a hidden file 70KB in size

- First it attempts to resolve et.bestexploiters.com

- Next it contacts each of the hosts that resolve to this on TCP port 8040 from TCP port 1219

- Each host that replies does so on TCP 8040 back to TCP 1219

- It then tries to contact all hosts on the local workgroup/domain and enumerate shares (it may do an ARP discover 
prior; difficult to derive from one capture)

- Next it attempts to connect to the hosts that replied to LANMAN requests via IPC shares (and probably others)

- Throughout, UDP port 69 remains open on the infected host for TFTP

Other advice is to aggressively track down compromised hosts and assume that any account/password, credit card, or 
other information that has been keyed into a compromised host is now in the hands of miscreants.


Doug Pearson
Director, REN-ISAC
http://www.ren-isac.net
+1-812-855-3846
+1-812-325-3846 cell




At 08:04 PM 4/5/2004 -0400, Kathy Bergsma wrote:
> I used flow data to see what addresses on our network might be connecting to
> addresses used by et.bestexploiters.com.  I found a few and they always
> connected on TCP port 8040.
>
> The addresses used for the domain appear to be dynamic.  As an alternative to
> DNS poisoning, we're blocking outbound TCP port 8040 until we can get a better
> handle on it.
>
> Any other advice?
>
> =============
> Kathy Bergsma
> UF Information Security Manager
> 352-392-2061
>
> On Mon, 5 Apr 2004, REN-ISAC wrote:
>
> > Dear all,
> >
> > Security engineers at Indiana University have been involved in local discovery
> > and investigation with others regarding a rapidly growing and particularly
> > threatening bot network. Of URGENT CONCERN is that the client contains a
> > keystroke logger. All keystrokes on the compromised machines are transmitted
> > to a controlling IRCD. We've been able to observe traffic to one of at least
> > 15 controlling IRCDs. That one IRCD was in control of over 12,000 clients. On
> > the face, it appears that the network grew to that size in much less than one
> > day, and 12,000 may represent just 1/15th of the network. We're in process of
> > collaborating with other groups in analysis. There's no information to share
> > regarding infection vector just yet. In the meantime, a useful and highly
> > recommended response is for institutions to immediately locally block the DNS
> > name that clients use to contact the IRCDs: et.bestexploiters.com. If you're
> > able to log DNS requests you should be able to identify local compromised
> > hosts. The REN-ISAC will be directly contacting the institutions home to
> > observed compromised machines, and will provide host-specific information.
> >
> > Regards,
> >
> > Doug Pearson
> > Director, REN-ISAC
> > http://www.ren-isac.net
> > +1-812-855-3846
> > +1-812-325-3846 cell

--

Doug Pearson; Indiana University; dodpears () indiana edu
Phone: 812-855-3846; ViDeNet: 0018128553846
PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.