Re: Follow-up on the Botnet incident.

["PARKIN, MICHAEL M (PBI)" <mparkin () PBI NET>]

Pierre,

Thanks for the input, but, perhaps unfortunately, we aren't the infected
host.  As mentioned in both posts, we were experiencing hundreds of
connections to our IRC network -from- infected hosts.  I will guess that the
infected parties haven't run any virus checkers on their systems, or they
would have (possibly) been able to isolate the Trojan.  If we can find a
'safe' and non-intrusive way to alert the folks who've been infected, we
certainly will.

If we can isolate the Trojan on these infected systems, I'll be sure to make
the program available for people if they want to analyze it.  Same for the
encryption.  I have had several offers for assistance in decrypting the
traffic, and I'll be sending the appropriate logs to those people as soon as
I can.

Thanks,
Mike

Ps.  If this thread is getting off-topic for the list, let me know and I'll
drop it.

-----Original Message-----
From: Pierre Vandevenne [mailto:pierre () datarescue com]
Sent: Tuesday, August 15, 2000 3:20 PM
To: INCIDENTS () SECURITYFOCUS COM; PARKIN, MICHAEL M (PBI)
Subject: Re: Follow-up on the Botnet incident.


On Mon, 14 Aug 2000 14:11:52 -0500, PARKIN, MICHAEL M (PBI) wrote:

> How to defend against them?  Like any other DDoS, I'm sure defense
> is difficult, but if these bots are anything like Sub7 (in fact, I realize
> they may be a new variant of Sub7) it may be possible to disinfect the
> hosts.
>
> Comments?

I imagine you ran a good up-to-date anti virus and it came up clean ?

When you are infected by a possible new trojan, you must absolutely get
a sample. One way to achieve this is to use a program such as zonealarm
or the recently released tdimon from http://www.sysinternals.com. These
programs will allow you to discover the process that is generating the
trafic.

9       62.50008320     Pmmailw 00040003        TDI_SEND_DATA
GRAM    UDP:0.0.0.0:1025        195.0.122.232:53        SUCCESS 
Length:37       

(Here, my mail program querying our dns for example)

Once you have the name of the process, it is fairly easy to identify
the file(s) involved and monitor their activity through regmon and
filemon (same url).

Disinfection is simply a matter of undoing the changes the trojan made
(to autostart itself, orther files modifications etc).

Detection involves finding a signature in the files that is specific to
the trojan. (ie doesn't have false positives) and sensitive (ie doesn't
have false negative)

Discovering what the trojan does is a matter of observation, source
study or reverse engineering if the source is not available.

anti-virus labs will be most interested in receiving the files, doing
an analysis and providing you with a solution - you could also send the
bot our way and we'll be glad to have a look.




---
Pierre Vandevenne - DataRescue sa/nv
Home of the IDA Pro Disassembler
http://www.datarescue.com/idabase/ida.htm