Educause Security Discussion mailing list archives

Re: Phatbot

From: Marty Hoag <Marty.Hoag () NDSU NODAK EDU>
Date: Fri, 19 Mar 2004 11:02:41 -0600

Scott Weeks wrote:

Hello Everyone,

I see there're six IP addresses that the infected machines contact to do
their "speed test".  I suppose we could just monitor traffic to these
addresses to find infected machines?  Doing traceroutes to the URLs in the
article gives the following list:


   Note that the IP addresses may change. That still might
be a viable way to detect the infections but the list would
be a lot longer than the one for just the host names. For example,
I checked the Stanford host name just now and got:

www.stanford.edu.       1H IN CNAME     www.LB-A.stanford.edu.
www.LB-A.stanford.edu.  4S IN A         171.67.16.68

and the 4 second time to live for the "A" record may indicate
they do some load balancing or something - the next time
I tried it was 171.67.16.54.

   www.xo.net returns four IP addresses at the moment with
15 minute times to live.

   Does anyone know if this critter uses the normal
"resolver" for domain names on the PC? In other words,
if your PCs point at one local DNS server for name
resolution perhaps requests for the host names could
be detected (assuming the names are what is in the code).

   The document at http://www.lurhq.com/phatbot.html does
give some "Snort" signatures which look for the ending
messages the worms FTP server sends out (e.g. "have a good
infection") as well as P2P traffic.

   Marty

       131.113.213.132
       140.114.72.8
       171.67.16.66
       207.155.248.63
       130.89.1.16
       212.227.147.70

Whatcha' think?

scott


:  Another good web site.
:  http://www.lurhq.com/phatbot.html


:  http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html
:  follows:
:          Hackers Embrace P2P Concept
:          Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or
:  Denial-of-Service Attacks










=====

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)