Educause Security Discussion mailing list archives
Re: Fwd: URGENT: bot net with keylogger
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 12 Apr 2004 14:37:15 -0400
Dave Monnier, IT Security Office, Indiana University wrote:
Gary, That is the same. I've identified that same location and file as the source of the #!!edu2k4 botnet. There is also an info.exe at that same location the attacker "itr" is using to gather information about the hosts after they have gained access to the machine.
I found that info.exe file on one of the machines here too. I hope I didn't ruin somebody's investigation by posting that site info. I thought it might be important for people to know to block that site. I'm seeing incoming IM messages carrying that link on an ongoing basis now. Its hard to know when to keep quiet about sources and details to aid law enforcement and when to post information that may keep more machines from being compromised. Do you have any information on the traffic to the IDENT port? I assume its a remote control trojan of some sort. We can't block incoming IDENT outright because some sites won't let clients connect without it. The IDP is blocking IDENT traffic that is out of spec in some way but I'd like to get more info on the actual traffic to create a specific attack signature. Also, any details on keylog files? After looking for date related files and watching a Filemon output from the aim1.exe didn't turn up anything, I'm resorting to full disk searches for strings I know were sent out because they showed up in our snort logs. But I still haven't found anything. I guess next, I'll have to look at deleted files. Sorry to repeat myself but it sure would be nice to have a handle on what information was compromised if there is any additional information out there on format or location of keylog files. These Netscreen IDPs we just put in have just paid for themselves as far as I'm concerned. I told them to look in the "AOL Info Text" field for the string that infected clients are sending and, poof!, no more incoming messages. Five minutes work. Of course, if the string changes, we start all over again but nothing is perfect. They're doing the same thing to outgoing web requests. And while I was doing that, they stopped a network scan, a follow up brute force login attempt across several systems, and then told me the same host was attempting to login as root to several other systems. Now all I have to do is keep up with it. :) -- Gary Flynn Security Engineer - Technical Services James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- URGENT: bot net with keylogger REN-ISAC (Apr 05)
- <Possible follow-ups>
- Re: URGENT: bot net with keylogger Doug Pearson (Apr 05)
- Re: Fwd: URGENT: bot net with keylogger Doug Pearson (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger T. Charles Yun (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Krulewitch, Sean (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Kathy Bergsma (Apr 09)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Eli Dart (Apr 13)