Re: Recent Gaobot event

["Gordon D. Wishon" <gwishon () ND EDU>]

Thanks, Morrow.  When we recognized what was going on, we crafted a set of
IDS rules to detect it and began applying our 'soft-disconnect' policy to
all infected hosts, effectively quarantining them until they're cleaned
up.  Cleaning the hosts is possible, but reinfection is still quite likely
as long as file and print sharing are enabled and weak (brute-forceable)
passwords are in place.

The interesting thing is that there have been almost no reports of a
widespread outbreak, which suggests the originator might be triggering
limited, but targeted (to specific address blocks), botnet
activities.  Most troubling, though, is that while detection and cleansing
is possible, prevention is difficult in environments where Windows file and
print sharing is essential and where desktop password practices are poor --
which describes far too many of our campus environments.

Gordon

At 10:10 AM 12/16/2004 -0500, H. Morrow Long wrote:
> Gordon -- Yes, we saw this, but it was for approx. the
>         two weeks prior to last week.  A number of PCs
>         were hit with it and they began attempting to brute
>         force the passwords for (all of ?) the accounts in our
>         Active Directory.
>
>         We'd just implemented a domain account lockdown
>         policy --  a short lockdown period -- after a somewhat
>         high number of unsuccessful login attempts
>         so we began to see the effects of the new lockdown
>         policy kick into effect rather quickly (some users
>         reported their accounts would lock out for the
>         lockdown period).
>
>         The infected PCs would show up in the security
>         event log of other computers and the active directory
>         servers with high numbers of unsuccessful login
>         attempts on various accounts.
>
> - H. Morrow Long, CISSP, CISM
>   University Information Security Officer
>   Director -- Information Security Office
>   Yale University, ITS
>
>
> On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote:
>
> > Is anyone else seeing any evidence of this on their campus?  Like Boston
> > College, we've been hit with this within the past two weeks, and at one
> > point the traffic generated by machines attempting to phone home
> > seriously affected our network performance.
> >
> >
> >
> > Virus Steals Student Passwords: Boston College's campus network was hit
> > by a virus that forced computers to guess at passwords that would provide
> > access to other linked machines.
> > The Heights
> >
> >
> > Curiously, we've found little discussion of this elsewhere.
> >
> > Gordon
> >
> > ********** Participation and subscription information for this EDUCAUSE
> > Discussion Group discussion list can be found at
> > <http://www.educause.edu/groups/>http://www.educause.edu/groups/.
> <br>
> <br>
> </blockquote></x-html>

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.