RE: Malware/trojan attacks

[lucretias <lucretias () shaw ca>]

Harlan

> Just out of curiosity, what are you seeing that leads you to
> say this?  I'm not sure that I see anything in Richard's
> original email that suggests a rootkit at this point.

I have seen broken or failed attempts that resemble this.  Not identical or
using the same IP's, but using a trojan to infect, then quickly get the
backdoors in place, but they don't work or may not work.  I don't know if it
is part of a rootkit, or other malware, it simply reminded me of this event
so I thought I'd mention it.

> > You should determine (if possible) what rootkit has infected the
> > machine.
> > It sounds like a new variant or perhaps a new tool altogether.
>
> Again, what leads you to think this, if you don't mind me asking?

What leads me to ask to check for rootkits?  Well there is a variety of
software available that can do this.  Why not?  Maybe something (else)
suspicious will pop up.

I wasn't trying to be conclusive, just making a suggestion.  Sorry if anyone
misunderstood as a result.

> > I would suggest wiping the box and rebuilding it if you cannot
> > determine exactly what is the culprit or any way to clean it.
>
> Hhhmmm...if it is a rootkit, then perhaps wiping/reinstalling
> may be the way to go, but I'd suggest further investigation
> and a root cause analysis first.  Even if Richard were to
> find out what the malware is (looks like an IRCbot at this
> point), without a root cause analysis (and subsequent actions
> as a result), the system will likely be reinfected all over again.

I'd agree.  Further analysis is warranted.

But if it was a simple trojan a detection and clean would solve the problem.
Since there appears to be some unknown variables still suspect, I'd look at
it like a rootkit, if it turns into a simple spam or ddos tool then so be
it.  If it's a bot, then that is like many, many different malwares...what
the bot does is certainly more important.


Cheers,

James Friesen, CIO
Lucretia Enterprises
Our World Is Here
info at lucretia dot ca
http://lucretia.ca




------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. 
World renowned security experts reveal tomorrow's threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------