Educause Security Discussion mailing list archives

Re: Fwd: URGENT: bot net with keylogger

From: "Krulewitch, Sean" <krulewit () IU EDU>
Date: Thu, 8 Apr 2004 18:16:02 -0500

On  Thursday, April 08, 2004 10:05:09 PM -0400, Kathy Bergsma
<kathya () nersp nerdc ufl edu> wrote:

Yesterday, our flow data showed attempts from compromised system to
connect to 
port 8040 on the following addresses.  We are still logging attempts
to the 
gatech address today.  These systems were all blocked remotely and we
block port 8040 locally, but our flow data still logs the attempts. 
Since 
et.bestexploiters.com no longer resolves, the intruder must be using
a new 
domain.  I'll see if I can learn the new domain from a sniff today.

128.61.164.122 hin-128-61-164-122.hinman.gatech.edu
129.244.129.84 <?>.utulsa.edu
129.244.30.149 <?>.utulsa.edu
203.71.132.210 <?>.ksut.edu.tw

On some, but not all systems, we found a file called keylog.txt in
c:\windows\system32.  We found a rootkit installed in CAROOT on one
system. 
The system had multiple infections and our forensics aren't complete,
so we're 
not sure if it was related to bestexploiters.

All compromises on our network were restricted to private IP that is
protected with the established option, so my best guess for mode of
compromise is that the users visited a malicious website with a
vulnerable IE browser.  Most of the compromised systems were from
Sorority houses.  All but one were female.  A Google search of
bestexploiters produces some (now dead) pornography links. 

Anyone else have any useful forensics?

From what I have seen so far it looks to be a known variant of

ago/gaobot.  There is at least one report[1] in the wild that looks to
be a variant of SDBot (at least in name).

[1]
http://groups.google.com/groups?selm=Hafnium.149ubh%40mail.mcse.ms&oe=UT
F-8&output=gplain

-Sean
-- 
Sean Krulewitch, Security Engineer
IT Security Office, Office of the VP for Information Technology
Indiana University
For PGP Key or S/MIME cert:  https://www.itso.iu.edu/staff/krulewit/

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

URGENT: bot net with keylogger REN-ISAC (Apr 05)
- <Possible follow-ups>
- Re: URGENT: bot net with keylogger Doug Pearson (Apr 05)
- Re: Fwd: URGENT: bot net with keylogger Doug Pearson (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger T. Charles Yun (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Krulewitch, Sean (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Kathy Bergsma (Apr 09)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)

(Thread continues...)