Re: keylogger bots on #!!edu2k4

["Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>]

While the following heuristic is 
trivial to change, the bots in these
networks tend to have the following
nick-naming schemes:

[EDU]-###### 
; (######= 3-5 numbers)

Here's how a few keystrokes are presented:

Enter = (Return)
Tab     = [TAB]
Arrow Down      = [Down]
Change Windows = (Changed window)

This might useful information to toss into
your IDS.

~cam.

Cam Beasley
Information Security Office
The University of Texas at Austin
cam () austin utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
- 512.475.9242
---------------------------

> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of REN-ISAC
> Sent: Thursday, April 08, 2004 09:31
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] keylogger bots on #!!edu2k4
>
>
> Dear security@educause,
>
> IU IT Security Office engineers discovered a keylogger bot 
> herd on a public IRC server, channel #!!edu2k4. The channel 
> has been shutdown two times on different IRC networks. The 
> channel is expected to resurface on another server. If you 
> have the capability, you may wish to monitor local network 
> traffic for #!!edu2k4, and clean identified clients. REN-ISAC 
> was given a list of ~50 botted machines, we'll be directly 
> contacting those sites.
>
> Regards,
>
> Doug Pearson
> Research and Education Networking ISAC
> http://www.ren-isac.net
> +1(812)855-3846
> +1(812)325-3846 cell
>
> **********
> Participation and subscription information for this EDUCAUSE 
> Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.