Re: Fwd: URGENT: bot net with keylogger

[Gary Flynn <flynngn () JMU EDU>]

Dave Monnier, IT Security Office, Indiana University wrote:

> Gary,
>
> That is the same.  I've identified that same location and file as the
> source of the #!!edu2k4 botnet.  There is also an info.exe at that same
> location the attacker "itr" is using to gather information about the
> hosts after they have gained access to the machine.

I found that info.exe file on one of the machines here too.

I hope I didn't ruin somebody's investigation by posting that
site info. I thought it might be important for people to
know to block that site. I'm seeing incoming IM messages
carrying that link on an ongoing basis now. Its hard to
know when to keep quiet about sources and details to aid
law enforcement and when to post information that may keep
more machines from being compromised.

Do you have any information on the traffic to the IDENT
port? I assume its a remote control trojan of some sort.
We can't block incoming IDENT outright because some sites
won't let clients connect without it. The IDP is blocking
IDENT traffic that is out of spec in some way but I'd
like to get more info on the actual traffic to create
a specific attack signature.

Also, any details on keylog files? After looking for date
related files and watching a Filemon output from the
aim1.exe didn't turn up anything, I'm resorting to full
disk searches for strings I know were sent out because
they showed up in our snort logs. But I still haven't found
anything. I guess next, I'll have to look at deleted files.
Sorry to repeat myself but it sure would be nice to have
a handle on what information was compromised if there is
any additional information out there on format or location
of keylog files.

These Netscreen IDPs we just put in have just paid for
themselves as far as I'm concerned. I told them to look
in the "AOL Info Text" field for the string that infected
clients are sending and, poof!, no more incoming
messages. Five minutes work. Of course, if the string
changes, we start all over again but nothing is perfect.
They're doing the same thing to outgoing web requests.
And while I was doing that, they stopped a network scan,
a follow up brute force login attempt across several
systems, and then told me the same host was attempting
to login as root to several other systems. Now all I
have to do is keep up with it. :)

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.