Re: Recent Gaobot event

[Joseph Vieira <jvieira () CLARKU EDU>]

Would you mind sending it to me as well?

Joe Vieira                  
Desktop Security Analyst   
Information Technology Services 
Clark University             
(508)-793-7287


-----Original Message-----
From: Gibbs, Aaron M. [mailto:AMGibbs () ST-AUG EDU] 
Sent: Monday, December 20, 2004 4:55 PM
Subject: Re: Recent Gaobot event

I would like it as well.

Aaron M Gibbs
Director 
Networking and Telecommunications
St. Augustine's College
Center for Information Technology
919-516-4237 (Office)
919-516-4382 (Fax)
amgibbs () st-aug edu 
www.st-aug.edu


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Mark Wilson
Sent: Thursday, December 16, 2004 3:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recent Gaobot event


Gary,
I would like the snort sig as well.

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

> > > dobbins () ND EDU 12/16/2004 11:08:23 AM >>>
If anyone would like the SNORT sig we're using to sense 'bots phoning
home
for control instructions, just drop me a line.  Am not sure posting it
here
would be wise - too many lurkers who might like to subtly alter this
overused variant to counter the sig.

When this triggers an alert on your SNORT, the bot is just waking up
and
still benign (relatively speaking) and can be removed before the
'owner'
wakes them up and uses them to do harm.


H. Morrow Long wrote:
> Gordon -- Yes, we saw this, but it was for approx. the
> two weeks prior to last week. A number of PCs
> were hit with it and they began attempting to brute
> force the passwords for (all of ?) the accounts in our
> Active Directory.
>
> We'd just implemented a domain account lockdown
> policy -- a short lockdown period -- after a somewhat
> high number of unsuccessful login attempts
> so we began to see the effects of the new lockdown
> policy kick into effect rather quickly (some users
> reported their accounts would lock out for the
> lockdown period).
>
> The infected PCs would show up in the security
> event log of other computers and the active directory
> servers with high numbers of unsuccessful login
> attempts on various accounts.
>
> - H. Morrow Long, CISSP, CISM
> University Information Security Officer
> Director -- Information Security Office
> Yale University, ITS
>
>
> On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote:
>
>     Is anyone else seeing any evidence of this on their campus?
Like
>     Boston College, we've been hit with this within the past two
weeks,
>     and at one point the traffic generated by machines attempting to
>     phone home seriously affected our network performance.
>
>
>
>     Virus Steals Student Passwords: Boston College's campus network
was
>     hit by a virus that forced computers to guess at passwords that
>     would provide access to other linked machines.
>     /The Heights/
>
>
>     Curiously, we've found little discussion of this elsewhere.
>
>     Gordon
>
>     ********** Participation and subscription information for this
>     EDUCAUSE Discussion Group discussion list can be found at
>     http://www.educause.edu/groups/.

--

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.