Educause Security Discussion mailing list archives
Re: Fwd: URGENT: bot net with keylogger
From: Doug Pearson <dodpears () INDIANA EDU>
Date: Thu, 8 Apr 2004 12:56:36 -0500
redirecting with permission...
Date: Thu, 8 Apr 2004 10:05:09 -0400 (EDT) From: Kathy Bergsma <kathya () nersp nerdc ufl edu> To: Doug Pearson <dodpears () indiana edu> Cc: security () switch ch, wg-security () internet2 edu Subject: Re: Fwd: URGENT: bot net with keylogger Yesterday, our flow data showed attempts from compromised system to connect to port 8040 on the following addresses. We are still logging attempts to the gatech address today. These systems were all blocked remotely and we block port 8040 locally, but our flow data still logs the attempts. Since et.bestexploiters.com no longer resolves, the intruder must be using a new domain. I'll see if I can learn the new domain from a sniff today. 128.61.164.122 hin-128-61-164-122.hinman.gatech.edu 129.244.129.84 <?>.utulsa.edu 129.244.30.149 <?>.utulsa.edu 203.71.132.210 <?>.ksut.edu.tw On some, but not all systems, we found a file called keylog.txt in c:\windows\system32. We found a rootkit installed in CAROOT on one system. The system had multiple infections and our forensics aren't complete, so we're not sure if it was related to bestexploiters. All compromises on our network were restricted to private IP that is protected with the established option, so my best guess for mode of compromise is that the users visited a malicious website with a vulnerable IE browser. Most of the compromised systems were from Sorority houses. All but one were female. A Google search of bestexploiters produces some (now dead) pornography links. Anyone else have any useful forensics? ============= Kathy Bergsma UF Information Security Manager 352-392-2061 On Tue, 6 Apr 2004, Doug Pearson wrote:Working with Internet2 Abilene engineers and management we chose to apply filters in the Abilene network to block traffic between Abilene and the botnet IRCD servers. Owners of the respective networks have been contacted regarding the action. At the time, all 15 known IRCD servers were at .edu's, both within and outside the U.S., and all reachable via Abilene. The traffic blocks act as blackholes - the traffic from Abilene connected hosts to the IRCDs will not reroute over the commercial Internet. The filters were applied ~11:50p CDT. At ~00:15a CDT, et.bestexploters.com now resolves to a single host at 1.3.3.7. That's an "IANA Reserved" network, not sure if there's a workable IRCD there or not. - Doug PearsonX-Sieve: cmu-sieve 2.0 Delivered-To: wg-security () internet2 edu X-Sender: dodpears () imap1 indiana edu X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Mon, 05 Apr 2004 15:54:37 -0500 To: SECURITY () LISTSERV EDUCAUSE EDU, wg-security () internet2 edu From: REN-ISAC <dodpears () indiana edu> Subject: URGENT: bot net with keylogger X-Virus-Scanned: by mail.internet2.edu virus scanner Sender: owner-wg-security () internet2 edu X-Virus-Scanned: by mail.internet2.edu virus scanner Dear all, Security engineers at Indiana University have been involved in local discovery and investigation with others regarding a rapidly growing and particularly threatening bot network. Of URGENT CONCERN is that the client contains a keystroke logger. All keystrokes on the compromised machines are transmitted to a controlling IRCD. We've been able to observe traffic to one of at least 15 controlling IRCDs. That one IRCD was in control of over 12,000 clients. On the face, it appears that the network grew to that size in much less than one day, and 12,000 may represent just 1/15th of the network. We're in process of collaborating with other groups in analysis. There's no information to share regarding infection vector just yet. In the meantime, a useful and highly recommended response is for institutions to immediately locally block the DNS name that clients use to contact the IRCDs: et.bestexploiters.com. If you're able to log DNS requests you should be able to identify local compromised hosts. The REN-ISAC will be directly contacting the institutions home to observed compromised machines, and will provide host-specific information. Regards, Doug Pearson Director, REN-ISAC http://www.ren-isac.net +1-812-855-3846 +1-812-325-3846 cell-- Doug Pearson; Indiana University; dodpears () indiana edu Phone: 812-855-3846; ViDeNet: 0018128553846 PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc
-- Doug Pearson; Indiana University; dodpears () indiana edu Phone: 812-855-3846; ViDeNet: 0018128553846 PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- URGENT: bot net with keylogger REN-ISAC (Apr 05)
- <Possible follow-ups>
- Re: URGENT: bot net with keylogger Doug Pearson (Apr 05)
- Re: Fwd: URGENT: bot net with keylogger Doug Pearson (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger T. Charles Yun (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Krulewitch, Sean (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Kathy Bergsma (Apr 09)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
(Thread continues...)