Re: Phatbot

[Brian Eckman <eckman () UMN EDU>]

Doug Pearson wrote:
> Has anyone seen hard information on characteristics of the traffic
> that would be a good marker distinguishing it from other valid
> traffic in netflow data, e.g. byte counts, etc.

I haven't had one on my network (crossing fingers), but looking at those
knocking on the door has helped a bunch. Phatbot (now called Polybot by
most AV companies) tries to spread itself via a RPC related
vulnerability via port 1025/tcp on remote hosts (among other methods).
It either favors or exclusively tries to spread within the /8 network
the infected host is on. Therefore, a rule looking for outbound SYN (no
other flags set) packets to destination port 1025/tcp on addresses in
the same /8 is a good start. An infected host will send quite a few of
these packets in a minute. If you see a host sending one or two of them
over a several minute span, it's not Polybot.

It also tries to spread via other ports, but I don't know of anything
else that looks like it is scanning for computers listening on 1025/tcp,
so at least for now, that is an easy indication.

Some commands that might come in handy:

tcpdump -i eth0 -n -S 'tcp dst port 1025 and tcp[13] = 2'
ngrep -iq -d eth0 'meow' tcp dst port 1025

In netflows, look for 3 packet, 144 byte flows to 1025/tcp, when both
hosts are on the same /8 network. This will show you those where the
destination host did not respond to the SYN packets. The duration of
these flows should be just over nine seconds (SYN, wait 3 sec, SYN, wait
6 sec, SYN).

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.