Re: "Stealth" Agobot/Gaobot?

[Brian Eckman <eckman () UMN EDU>]

Jeff Kell wrote:
> Twice today I have seen indications of Agobot infections.  As has been
> my usual procedure, I nmap the beast, try nbtscan for NetBIOS info, then
> shut down the port.  But nmap indicates nothing other than 135/139/1025
> and the scanning stops.
>
> Is this a new "stealth bot" that shuts down or sleeps for awhile if it
> detects a scan?

I had a variant today that showed up in an nMap. I telnetted to it and
it threw its stream of garbage at me. I then went to netcat it and the
port was closed. It's only happened this one time, and I have no good
explanation for it. However that may not be related to what you are
reporting.

I guess it would help to know what your indications were. Something else
could be acting like it as well. I also seem to remember Agobot variants
only opening up their high numbered ports after finding its first
victim. If you notice one too quickly after initial infection, it may
not have opened the ports yet.

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.