Re: Phatbot

[Jeff Kell <jeff-kell () UTC EDU>]

Gary Flynn wrote:
> Doug Pearson wrote:
> > Has anyone seen hard information on characteristics of the traffic
> > that would be a good marker distinguishing it from other valid traffic
> > in netflow data, e.g. byte counts, etc.
>
> I thought I saw something about port 1025 requests but
> I can't find it now.

1025 has been implicated but you have to be stateful and careful about
it.  It is such a low-numbered ephemeral port (for Windows anyway) that
is somewhat of a problem for incoming SYNs (could be an FTP data port
for example).  You certainly can't make any assumptions about outgoing
SYNs on 1025 identifying an infected machine.

> At a higher layer, tThe site below has some snort signatures that
> I've had active a couple days with no hits.

Likewise.

> That port 4387 traffic and/or a unique gnutella client
> header may also be markers.

I've blocked 4387 both ways (some exceptions for it being an ephemeral
port to a well-known service) but I don't know the details of the 4387
traffic and the Gnutella connection.  Do you look for 4387->6346?  Or is
contact with Gnutella cache servers unrelated to 4387?  Is there
something unique about the connection that might translate to a Snort
(or other IDS) signature?

Jeff Kell, System/Network Security
University of Tennessee at Chattanooga

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.