Re: Fwd: URGENT: bot net with keylogger

["T. Charles Yun" <tcyun () INTERNET2 EDU>]

Doug,

not sure if you saw, but we are encouraging people to sign up for the
educause security list and will be taking down wg-security () internet2 edu
in 30 days.


- tcy



Doug Pearson wrote:
> redirecting with permission...
>
>
> > Date: Thu, 8 Apr 2004 10:05:09 -0400 (EDT)
> > From: Kathy Bergsma <kathya () nersp nerdc ufl edu>
> > To: Doug Pearson <dodpears () indiana edu>
> > Cc: security () switch ch, wg-security () internet2 edu
> > Subject: Re: Fwd: URGENT: bot net with keylogger
> >
> > Yesterday, our flow data showed attempts from compromised system to connect to
> > port 8040 on the following addresses.  We are still logging attempts to the
> > gatech address today.  These systems were all blocked remotely and we block port
> > 8040 locally, but our flow data still logs the attempts.  Since
> > et.bestexploiters.com no longer resolves, the intruder must be using a new
> > domain.  I'll see if I can learn the new domain from a sniff today.
> >
> > 128.61.164.122 hin-128-61-164-122.hinman.gatech.edu
> > 129.244.129.84 <?>.utulsa.edu
> > 129.244.30.149 <?>.utulsa.edu
> > 203.71.132.210 <?>.ksut.edu.tw
> >
> > On some, but not all systems, we found a file called keylog.txt in
> > c:\windows\system32.  We found a rootkit installed in CAROOT on one system.
> > The system had multiple infections and our forensics aren't complete, so we're
> > not sure if it was related to bestexploiters.
> >
> > All compromises on our network were restricted to private IP that is protected
> > with the established option, so my best guess for mode of compromise is that the
> > users visited a malicious website with a vulnerable IE browser.  Most of the
> > compromised systems were from Sorority houses.  All but one were female.  A
> > Google search of bestexploiters produces some (now dead) pornography links.
> >
> > Anyone else have any useful forensics?
> >
> > =============
> > Kathy Bergsma
> > UF Information Security Manager
> > 352-392-2061
> >
> > On Tue, 6 Apr 2004, Doug Pearson wrote:
> >
> >
> > > Working with Internet2 Abilene engineers and management we chose to apply
> > > filters in the Abilene network to block traffic between Abilene and the botnet
> > > IRCD servers. Owners of the respective networks have been contacted regarding
> > > the action. At the time, all 15 known IRCD servers were at .edu's, both within
> > > and outside the U.S., and all reachable via Abilene. The traffic blocks act as
> > > blackholes - the traffic from Abilene connected hosts to the IRCDs will not
> > > reroute over the commercial Internet. The filters were applied ~11:50p CDT. At
> > > ~00:15a CDT, et.bestexploters.com now resolves to a single host at 1.3.3.7.
> > > That's an "IANA Reserved" network, not sure if there's a workable IRCD there
> > > or not.
> > >
> > > - Doug Pearson
> > >
> > >
> > >
> > > > X-Sieve: cmu-sieve 2.0
> > > > Delivered-To: wg-security () internet2 edu
> > > > X-Sender: dodpears () imap1 indiana edu
> > > > X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1
> > > > Date: Mon, 05 Apr 2004 15:54:37 -0500
> > > > To: SECURITY () LISTSERV EDUCAUSE EDU, wg-security () internet2 edu
> > > > From: REN-ISAC <dodpears () indiana edu>
> > > > Subject: URGENT: bot net with keylogger
> > > > X-Virus-Scanned: by mail.internet2.edu virus scanner
> > > > Sender: owner-wg-security () internet2 edu
> > > > X-Virus-Scanned: by mail.internet2.edu virus scanner
> > > >
> > > > Dear all,
> > > >
> > > > Security engineers at Indiana University have been involved in local
> > > > discovery and investigation with others regarding a rapidly growing and
> > > > particularly threatening bot network. Of URGENT CONCERN is that the client
> > > > contains a keystroke logger. All keystrokes on the compromised machines are
> > > > transmitted to a controlling IRCD. We've been able to observe traffic to one
> > > > of at least 15 controlling IRCDs. That one IRCD was in control of over 12,000
> > > > clients. On the face, it appears that the network grew to that size in much
> > > > less than one day, and 12,000 may represent just 1/15th of the network. We're
> > > > in process of collaborating with other groups in analysis. There's no
> > > > information to share regarding infection vector just yet. In the meantime, a
> > > > useful and highly recommended response is for institutions to immediately
> > > > locally block the DNS name that clients use to contact the IRCDs:
> > > > et.bestexploiters.com. If you're able to log DNS requests you should be able
> > > > to identify local compromised hosts. The REN-ISAC will be directly contacting
> > > > the institutions home to observed compromised machines, and will provide
> > > > host-specific information.
> > > >
> > > > Regards,
> > > >
> > > > Doug Pearson
> > > > Director, REN-ISAC
> > > > http://www.ren-isac.net
> > > > +1-812-855-3846
> > > > +1-812-325-3846 cell
> > >
> > > --
> > >
> > > Doug Pearson; Indiana University; dodpears () indiana edu
> > > Phone: 812-855-3846; ViDeNet: 0018128553846
> > > PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc
>
>
> --
>
> Doug Pearson; Indiana University; dodpears () indiana edu
> Phone: 812-855-3846; ViDeNet: 0018128553846
> PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/cg/.

--
- Charles
===========================================================
 T. Charles Yun, Program Manager
 Internet2                              cell: 734.730.3300
 3025 Boardwalk                          fax: 734.913.4255
 Suite 100                      email: tcyun () internet2 edu
 Ann Arbor, Michigan          yahoo, msn, aim: tcharlesyun
 48108                         http://internet2.edu/~tcyun

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.