RE: NANOG wins a bot

["Matt Levine" <matt () deliver3 com>]

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
> Behalf Of Rob Thomas
> Sent: Monday, June 17, 2002 9:22 PM
> To: NANOG
> Subject: NANOG wins a bot
>
>
>
> Hi, all.
>
> This evening the NANOG mailing list received e-mail from a 
> "jim bruer,"
> aka jim_teh_man () yahoo com.  This e-mail, with a topic of "ConfigMaker
> Beta" (a Cisco product) included an attachment labelled as
> "cisco_configmaker.exe."  This is actually a war bot known as 
> Slackbot,
> version 1.0.  This bot attempts to connect to the IRC server
> irc.easynews.com, 140.99.102.3.  This IP address is part of the
> 140.99.96.0/19 prefix announced by ASN 2 (ACES Research - The Tucson
> Interconnect).  The channel is #midgets_in_drag with no channel key.

.. Just for the record, we are in no way affiliated with this trojan :)

> The server is not running, so this botnet (perhaps an old one) is not
> available for woe.  The bot runs on Windows as wuordona.exe, and
> installs in c:\winnt\.

It will be available for woe once again tomorrow morning (down for
maint.), so be afraid..

> This is likely an attempt by some miscreants to build a botnet through
> the e-mail spam method.  Since Slackbot does not include a spam
> mechanism, some other bit of malware must be involved.
>
> Thanks,
> Rob.
> -- 
> Rob Thomas
> http://www.cymru.com
> ASSERT(coffee != empty);

Regards,
Matt
--
Matt Levine
@Home: matt () deliver3 com
@Work: matt () eldosales com
ICQ  : 17080004
AIM  : exile
GPG  : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6C0D04CF
"The Trouble with doing anything right the first time is that nobody
appreciates how difficult it was."  -BIX  

Regards,
Matt
--
Matt Levine
@Home: matt () deliver3 com
@Work: matt () eldosales com
ICQ  : 17080004
AIM  : exile
GPG  : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6C0D04CF
"The Trouble with doing anything right the first time is that nobody
appreciates how difficult it was."  -BIX  

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
> Behalf Of Rob Thomas
> Sent: Monday, June 17, 2002 9:22 PM
> To: NANOG
> Subject: NANOG wins a bot
>
>
>
> Hi, all.
>
> This evening the NANOG mailing list received e-mail from a 
> "jim bruer,"
> aka jim_teh_man () yahoo com.  This e-mail, with a topic of "ConfigMaker
> Beta" (a Cisco product) included an attachment labelled as
> "cisco_configmaker.exe."  This is actually a war bot known as 
> Slackbot,
> version 1.0.  This bot attempts to connect to the IRC server
> irc.easynews.com, 140.99.102.3.  This IP address is part of the
> 140.99.96.0/19 prefix announced by ASN 2 (ACES Research - The Tucson
> Interconnect).  The channel is #midgets_in_drag with no channel key.
> The server is not running, so this botnet (perhaps an old one) is not
> available for woe.  The bot runs on Windows as wuordona.exe, and
> installs in c:\winnt\.
>
> This is likely an attempt by some miscreants to build a botnet through
> the e-mail spam method.  Since Slackbot does not include a spam
> mechanism, some other bit of malware must be involved.
>
> Thanks,
> Rob.
> -- 
> Rob Thomas
> http://www.cymru.com
> ASSERT(coffee != empty);