Educause Security Discussion mailing list archives
Re: Recent Gaobot event
From: "Gordon D. Wishon" <gwishon () ND EDU>
Date: Thu, 16 Dec 2004 10:28:17 -0500
Thanks, Morrow. When we recognized what was going on, we crafted a set of IDS rules to detect it and began applying our 'soft-disconnect' policy to all infected hosts, effectively quarantining them until they're cleaned up. Cleaning the hosts is possible, but reinfection is still quite likely as long as file and print sharing are enabled and weak (brute-forceable) passwords are in place. The interesting thing is that there have been almost no reports of a widespread outbreak, which suggests the originator might be triggering limited, but targeted (to specific address blocks), botnet activities. Most troubling, though, is that while detection and cleansing is possible, prevention is difficult in environments where Windows file and print sharing is essential and where desktop password practices are poor -- which describes far too many of our campus environments. Gordon At 10:10 AM 12/16/2004 -0500, H. Morrow Long wrote:
Gordon -- Yes, we saw this, but it was for approx. the two weeks prior to last week. A number of PCs were hit with it and they began attempting to brute force the passwords for (all of ?) the accounts in our Active Directory. We'd just implemented a domain account lockdown policy -- a short lockdown period -- after a somewhat high number of unsuccessful login attempts so we began to see the effects of the new lockdown policy kick into effect rather quickly (some users reported their accounts would lock out for the lockdown period). The infected PCs would show up in the security event log of other computers and the active directory servers with high numbers of unsuccessful login attempts on various accounts. - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote:Is anyone else seeing any evidence of this on their campus? Like Boston College, we've been hit with this within the past two weeks, and at one point the traffic generated by machines attempting to phone home seriously affected our network performance. Virus Steals Student Passwords: Boston College's campus network was hit by a virus that forced computers to guess at passwords that would provide access to other linked machines. The Heights Curiously, we've found little discussion of this elsewhere. Gordon ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at <http://www.educause.edu/groups/>http://www.educause.edu/groups/.<br> <br> </blockquote></x-html>
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Recent Gaobot event Gordon D. Wishon (Dec 16)
- <Possible follow-ups>
- Re: Recent Gaobot event H. Morrow Long (Dec 16)
- Re: Recent Gaobot event Gordon D. Wishon (Dec 16)
- Re: Recent Gaobot event Gary Dobbins (Dec 16)
- Re: Recent Gaobot event Mike Peterson (Dec 16)
- Re: Recent Gaobot event Jim Pollard (Dec 16)
- Re: Recent Gaobot event Dave Monnier, IT Security Office, Indiana University (Dec 16)
- Re: Recent Gaobot event Mark Wilson (Dec 16)
- Re: Recent Gaobot event David Escalante (Dec 16)
- Re: Recent Gaobot event Gibbs, Aaron M. (Dec 20)
- Re: Recent Gaobot event Joseph Vieira (Dec 21)
- Re: Recent Gaobot event Michael Horne (Dec 21)
- Re: Recent Gaobot event Robert Johnson (Dec 21)
(Thread continues...)