Security Incidents mailing list archives
Re: Follow-up on the Botnet incident.
From: "PARKIN, MICHAEL M (PBI)" <mparkin () PBI NET>
Date: Wed, 16 Aug 2000 12:32:14 -0500
Pierre, Thanks for the input, but, perhaps unfortunately, we aren't the infected host. As mentioned in both posts, we were experiencing hundreds of connections to our IRC network -from- infected hosts. I will guess that the infected parties haven't run any virus checkers on their systems, or they would have (possibly) been able to isolate the Trojan. If we can find a 'safe' and non-intrusive way to alert the folks who've been infected, we certainly will. If we can isolate the Trojan on these infected systems, I'll be sure to make the program available for people if they want to analyze it. Same for the encryption. I have had several offers for assistance in decrypting the traffic, and I'll be sending the appropriate logs to those people as soon as I can. Thanks, Mike Ps. If this thread is getting off-topic for the list, let me know and I'll drop it. -----Original Message----- From: Pierre Vandevenne [mailto:pierre () datarescue com] Sent: Tuesday, August 15, 2000 3:20 PM To: INCIDENTS () SECURITYFOCUS COM; PARKIN, MICHAEL M (PBI) Subject: Re: Follow-up on the Botnet incident. On Mon, 14 Aug 2000 14:11:52 -0500, PARKIN, MICHAEL M (PBI) wrote:
How to defend against them? Like any other DDoS, I'm sure defense is difficult, but if these bots are anything like Sub7 (in fact, I realize they may be a new variant of Sub7) it may be possible to disinfect the hosts. Comments?
I imagine you ran a good up-to-date anti virus and it came up clean ? When you are infected by a possible new trojan, you must absolutely get a sample. One way to achieve this is to use a program such as zonealarm or the recently released tdimon from http://www.sysinternals.com. These programs will allow you to discover the process that is generating the trafic. 9 62.50008320 Pmmailw 00040003 TDI_SEND_DATA GRAM UDP:0.0.0.0:1025 195.0.122.232:53 SUCCESS Length:37 (Here, my mail program querying our dns for example) Once you have the name of the process, it is fairly easy to identify the file(s) involved and monitor their activity through regmon and filemon (same url). Disinfection is simply a matter of undoing the changes the trojan made (to autostart itself, orther files modifications etc). Detection involves finding a signature in the files that is specific to the trojan. (ie doesn't have false positives) and sensitive (ie doesn't have false negative) Discovering what the trojan does is a matter of observation, source study or reverse engineering if the source is not available. anti-virus labs will be most interested in receiving the files, doing an analysis and providing you with a solution - you could also send the bot our way and we'll be glad to have a look. --- Pierre Vandevenne - DataRescue sa/nv Home of the IDA Pro Disassembler http://www.datarescue.com/idabase/ida.htm
Current thread:
- Follow-up on the Botnet incident. PARKIN, MICHAEL M (PBI) (Aug 15)
- <Possible follow-ups>
- Re: Follow-up on the Botnet incident. Pierre Vandevenne (Aug 18)
- Re: Follow-up on the Botnet incident. PARKIN, MICHAEL M (PBI) (Aug 18)