Educause Security Discussion mailing list archives
Re: bestfriends.scr AIM virus
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Sun, 23 Jan 2005 14:26:57 -0600
other common IRC networks of late are: o Hacked.net o Cronation.net ~cam.
-----Original Message----- From: Cam Beasley, ISO Sent: 2005, January 23, Sunday 14:24 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: RE: [SECURITY] bestfriends.scr AIM virus there are several greenpeace.org IRC servers.. might want to be a little less specific: alert tcp $HOME_NET !21:80 <> $EXTERNAL_NET !80 (content:"greenpeace.org"; nocase:; tag:session, 20, packets; msg:"Possible RogueIRC [GREENPEACE]"; classtype:trojan-activity; several other IRC sigs apply as well.. ~cam. Cam Beasley Sr. InfoSec Analyst Information Security Office University of Texas at Austin cam () austin utexas edu-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of RLVaughn Sent: 2005, January 22, Saturday 16:49 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virus Apologies for top posting: --------- I've asked Gadi Evron to look into this. He strongly suspects Albany.NYC.Greenpeace.org and it's currently associated IP of 81.91.66.220 to be a Command and Control for a bot drone army. A rDNS search on the above IP yields ns1.mondomix-planet.com as the PTR record. Gadi supplies the following snort signatures and report of his detective work: Snort: alert tcp any any -> any any (msg:"suspectedbotnet/educauseby Gadi Evron"; content: "Albany.NYC.Greenpeace.org";) alert tcp $HOME_NET any -> 81.91.66.220 6667(msg:"suspectedbotnet/educause by Gadi Evron";) IRC C&C session: [19:04:28] *** Connecting to 81.91.66.220 (6667) - Welcome to the NYCNet IRC Network |eS|00267! <snip by rlv> Your host is Albany.NYC.Greenpeace.org, running version Unreal3.2.2 This server was created Mon Jan 10 2005 at 22:26:53 CET Albany.NYC.Greenpeace.org Unreal3.2.2 iowghraAsORTVSxNCWqBzvdHtGplvhopsmntikrRcaqOALQbSeKVfMGCuzNT SAFELISTHCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS WATCH=128 are supported by this server SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=NYCNet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server - There are 1 users and 580 invisible on 1 servers - Local host: <snip> - 1 operator(s) online 67 unknown connection(s) 3 channels formed I have 581 clients and 0 servers - Current Local Users: 581 Max: 1014 Current Global Users: 581 Max: 1014 - MOTD File is missing - [19:04:30] *** |eS|00267 sets mode: +iB - *** No one in your notify list is on IRC Regards, Randal Vaughn Professor Baylor University Saturday, January 22, 2005, 12:44:42 AM, Brandie wrote: ---------We have Tipping Point and at about 10:00 last nightmultiple machinesbegan doing user enumeration. By today they were hittingports 135 and139 with login attempts, rpc scans, etc. We looked at 3 of the infected machines and found: 1) all Windows 2000 2) all had an entry under HKLM/software/microsoft/windows/currentversion/run and/runservicesand the User tab of these two paths - titled WindowsSP2.exe 3) the %sysdir%/system32/ had a file named msgfix.exeOnce we had this information we found Sophos had it namedsdbot.QT andseems to be the only AV vendor with a signature for it.On further Tipping Point inspection we found all theinfected machinesand more to have received an IRC registration responsefrom one IPaddress which we have since blocked at the border.Thought I would send this info along in case it is relaventand helps anyone.Brandie Anderson, CISSP, MCSE, CNA Information Security Officer Texas Tech University________________________________From: The EDUCAUSE Security Discussion Group Listserv onbehalf ofJason Richardson Sent: Fri 1/21/2005 5:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virusJust blocked about 20 machines doing the same thing on ourRes Net -all port 139.--- Jason Richardson Manager, IT Security and Client Development EnterpriseSystems SupportNorthern Illinois University Voice: 815-753-1678 Fax: 815-753-2555 jasrich () niu edubrooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>Correction: it was port 139. Started at 11:00 AM Eastern today.-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks Sent: Friday, January 21, 2005 1:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] bestfriends.scr AIM virusDo you know if this one has any other characteristics towatch for?We caught a dramatic increase in port 135 scans originating from the RESNET this morning. Before today, all was quiet, so I'mwondering ifthere might be a connection.Thanks, Jason BrooksJason Brooks Information Security Technician Longwood University 201 High Street Farmville, VA 23909 (434) 395-2034 mailto:brooksje () longwood edu-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson Sent: Friday, January 21, 2005 11:22 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] bestfriends.scr AIM virusBe on the lookout for this one as we are seeing a lot ofthis. Thereis a snort rule for it.If you notice traffic going to 81.91.66.220, you probably have infected hosts.There are several strains going around as we have had toupdate McAfee3 times.More info can be found at http://www.jayloden.com/BestFriends.htmMark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found athttp://www.educause.edu/groups/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: bestfriends.scr AIM virus, (continued)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 21)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 21)
- Re: bestfriends.scr AIM virus Anderson, Brandie (Jan 21)
- Re: bestfriends.scr AIM virus Brock, Adam (Jan 22)
- Re: bestfriends.scr AIM virus RLVaughn (Jan 22)
- Re: bestfriends.scr AIM virus H. Morrow Long (Jan 22)
- Re: bestfriends.scr AIM virus Peter Moody (Jan 22)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Cam Beasley, ISO (Jan 23)
- Re: bestfriends.scr AIM virus Jeff Kell (Jan 23)
- Re: bestfriends.scr AIM virus Jason Brooks (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 24)
- Re: bestfriends.scr AIM virus Mark Wilson (Jan 24)
- Re: bestfriends.scr AIM virus Jason Richardson (Jan 25)