Educause Security Discussion mailing list archives
Re: Phatbot
From: Brian Eckman <eckman () UMN EDU>
Date: Fri, 19 Mar 2004 15:58:23 -0600
Doug Pearson wrote: > Has anyone seen hard information on characteristics of the traffic > that would be a good marker distinguishing it from other valid > traffic in netflow data, e.g. byte counts, etc. I haven't had one on my network (crossing fingers), but looking at those knocking on the door has helped a bunch. Phatbot (now called Polybot by most AV companies) tries to spread itself via a RPC related vulnerability via port 1025/tcp on remote hosts (among other methods). It either favors or exclusively tries to spread within the /8 network the infected host is on. Therefore, a rule looking for outbound SYN (no other flags set) packets to destination port 1025/tcp on addresses in the same /8 is a good start. An infected host will send quite a few of these packets in a minute. If you see a host sending one or two of them over a several minute span, it's not Polybot. It also tries to spread via other ports, but I don't know of anything else that looks like it is scanning for computers listening on 1025/tcp, so at least for now, that is an easy indication. Some commands that might come in handy: tcpdump -i eth0 -n -S 'tcp dst port 1025 and tcp[13] = 2' ngrep -iq -d eth0 'meow' tcp dst port 1025 In netflows, look for 3 packet, 144 byte flows to 1025/tcp, when both hosts are on the same /8 network. This will show you those where the destination host did not respond to the SYN packets. The duration of these flows should be just over nine seconds (SYN, wait 3 sec, SYN, wait 6 sec, SYN). Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't." ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Phatbot Kathie Brinkman (Mar 18)
- <Possible follow-ups>
- Re: Phatbot James Moore (Mar 18)
- Re: Phatbot Jeff Birch (Mar 19)
- Re: Phatbot Scott Weeks (Mar 19)
- Re: Phatbot Marty Hoag (Mar 19)
- Re: Phatbot Daniel Medina (Mar 19)
- Re: Phatbot Doug Pearson (Mar 19)
- Re: Phatbot Gary Flynn (Mar 19)
- Re: Phatbot Dr. Tina Bird (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Brian Eckman (Mar 19)
- Re: Phatbot Mike Iglesias (Mar 19)
- Re: Phatbot Jeff Kell (Mar 19)