Re: Recent Gaobot event

["H. Morrow Long" <morrow.long () YALE EDU>]

Gordon -- Yes, we saw this, but it was for approx. the
two weeks prior to last week.  A number of PCs
were hit with it and they began attempting to brute
force the passwords for (all of ?) the accounts in our
Active Directory.

We'd just implemented a domain account lockdown
policy --  a short lockdown period -- after a somewhat
high number of unsuccessful login attempts
so we began to see the effects of the new lockdown
policy kick into effect rather quickly (some users 
reported their accounts would lock out for the
lockdown period).

The infected PCs would show up in the security
event log of other computers and the active directory
servers with high numbers of unsuccessful login
attempts on various accounts.

- H. Morrow Long, CISSP, CISM
University Information Security Officer
Director -- Information Security Office
Yale University, ITS


On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote:

> Is anyone else seeing any evidence of this on their campus?  Like Boston College, we've been hit with this within the past two weeks, and at one point the traffic generated by machines attempting to phone home seriously affected our network performance.
>
>
>
> Virus Steals Student Passwords: Boston College's campus network was hit by a virus that forced computers to guess at passwords that would provide access to other linked machines.
> The Heights
>
>
> Curiously, we've found little discussion of this elsewhere. 
>
> Gordon
>
> ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.

Attachment: smime.p7s
Description: