Educause Security Discussion mailing list archives
Re: URGENT: bot net with keylogger
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Mon, 5 Apr 2004 19:24:41 -0500
We can confirm the TCP port 8040. We have unconfirmed information from a third party: - The file that carries the virus is C:\windows\system32\mssmgrd.exe which is a hidden file 70KB in size - First it attempts to resolve et.bestexploiters.com - Next it contacts each of the hosts that resolve to this on TCP port 8040 from TCP port 1219 - Each host that replies does so on TCP 8040 back to TCP 1219 - It then tries to contact all hosts on the local workgroup/domain and enumerate shares (it may do an ARP discover prior; difficult to derive from one capture) - Next it attempts to connect to the hosts that replied to LANMAN requests via IPC shares (and probably others) - Throughout, UDP port 69 remains open on the infected host for TFTP Other advice is to aggressively track down compromised hosts and assume that any account/password, credit card, or other information that has been keyed into a compromised host is now in the hands of miscreants. Doug Pearson Director, REN-ISAC http://www.ren-isac.net +1-812-855-3846 +1-812-325-3846 cell At 08:04 PM 4/5/2004 -0400, Kathy Bergsma wrote:
I used flow data to see what addresses on our network might be connecting to addresses used by et.bestexploiters.com. I found a few and they always connected on TCP port 8040. The addresses used for the domain appear to be dynamic. As an alternative to DNS poisoning, we're blocking outbound TCP port 8040 until we can get a better handle on it. Any other advice? ============= Kathy Bergsma UF Information Security Manager 352-392-2061 On Mon, 5 Apr 2004, REN-ISAC wrote:Dear all, Security engineers at Indiana University have been involved in local discovery and investigation with others regarding a rapidly growing and particularly threatening bot network. Of URGENT CONCERN is that the client contains a keystroke logger. All keystrokes on the compromised machines are transmitted to a controlling IRCD. We've been able to observe traffic to one of at least 15 controlling IRCDs. That one IRCD was in control of over 12,000 clients. On the face, it appears that the network grew to that size in much less than one day, and 12,000 may represent just 1/15th of the network. We're in process of collaborating with other groups in analysis. There's no information to share regarding infection vector just yet. In the meantime, a useful and highly recommended response is for institutions to immediately locally block the DNS name that clients use to contact the IRCDs: et.bestexploiters.com. If you're able to log DNS requests you should be able to identify local compromised hosts. The REN-ISAC will be directly contacting the institutions home to observed compromised machines, and will provide host-specific information. Regards, Doug Pearson Director, REN-ISAC http://www.ren-isac.net +1-812-855-3846 +1-812-325-3846 cell
-- Doug Pearson; Indiana University; dodpears () indiana edu Phone: 812-855-3846; ViDeNet: 0018128553846 PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- URGENT: bot net with keylogger REN-ISAC (Apr 05)
- <Possible follow-ups>
- Re: URGENT: bot net with keylogger Doug Pearson (Apr 05)
- Re: Fwd: URGENT: bot net with keylogger Doug Pearson (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger T. Charles Yun (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Krulewitch, Sean (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Kathy Bergsma (Apr 09)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
(Thread continues...)