Educause Security Discussion mailing list archives

Re: Recent Gaobot event

From: "Penn, Blake" <pennb () UWW EDU>
Date: Wed, 22 Dec 2004 12:17:04 -0600

The DHCP guys here forced new leases on all our PCs when this broke out.
That seemed to cause a steep decline in the infection rate here.  This
tactic might be useful to "buy time" for cleanup.  Has this worked for
others as well?   
__
Blake Penn, CISSP
Information Security Officer
University of Wisconsin - Whitewater
262-472-5513  phone
262-472-1285  fax
pennb () uww edu e-mail  
________________________________

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gordon D. Wishon
Sent: Thursday, December 16, 2004 9:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recent Gaobot event


Thanks, Morrow.  When we recognized what was going on, we crafted a set
of IDS rules to detect it and began applying our 'soft-disconnect'
policy to all infected hosts, effectively quarantining them until
they're cleaned up.  Cleaning the hosts is possible, but reinfection is
still quite likely as long as file and print sharing are enabled and
weak (brute-forceable) passwords are in place.  

The interesting thing is that there have been almost no reports of a
widespread outbreak, which suggests the originator might be triggering
limited, but targeted (to specific address blocks), botnet activities.
Most troubling, though, is that while detection and cleansing is
possible, prevention is difficult in environments where Windows file and
print sharing is essential and where desktop password practices are poor
-- which describes far too many of our campus environments.

Gordon

At 10:10 AM 12/16/2004 -0500, H. Morrow Long wrote:


        Gordon -- Yes, we saw this, but it was for approx. the 
                two weeks prior to last week.  A number of PCs 
                were hit with it and they began attempting to brute 
                force the passwords for (all of ?) the accounts in our 
                Active Directory. 
        
                We'd just implemented a domain account lockdown 
                policy --  a short lockdown period -- after a somewhat 
                high number of unsuccessful login attempts 
                so we began to see the effects of the new lockdown 
                policy kick into effect rather quickly (some users 
                reported their accounts would lock out for the 
                lockdown period). 
        
                The infected PCs would show up in the security 
                event log of other computers and the active directory 
                servers with high numbers of unsuccessful login 
                attempts on various accounts. 
        
        - H. Morrow Long, CISSP, CISM 
          University Information Security Officer 
          Director -- Information Security Office 
          Yale University, ITS 
        
        
        On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote: 
        
        

                Is anyone else seeing any evidence of this on their
campus?  Like Boston College, we've been hit with this within the past
two weeks, and at one point the traffic generated by machines attempting
to phone home seriously affected our network performance. 
                
                
                
                Virus Steals Student Passwords: Boston College's campus
network was hit by a virus that forced computers to guess at passwords
that would provide access to other linked machines. 
                The Heights 
                
                
                Curiously, we've found little discussion of this
elsewhere. 
                
                Gordon 
                
                ********** Participation and subscription information
for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

        <br>
        <br>
        </blockquote></x-html> 

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/. 

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Recent Gaobot event, (continued)
- Re: Recent Gaobot event Gary Dobbins (Dec 16)
- Re: Recent Gaobot event Mike Peterson (Dec 16)
- Re: Recent Gaobot event Jim Pollard (Dec 16)
- Re: Recent Gaobot event Dave Monnier, IT Security Office, Indiana University (Dec 16)
- Re: Recent Gaobot event Mark Wilson (Dec 16)
- Re: Recent Gaobot event David Escalante (Dec 16)
- Re: Recent Gaobot event Gibbs, Aaron M. (Dec 20)
- Re: Recent Gaobot event Joseph Vieira (Dec 21)
- Re: Recent Gaobot event Michael Horne (Dec 21)
- Re: Recent Gaobot event Robert Johnson (Dec 21)
- Re: Recent Gaobot event Penn, Blake (Dec 22)
- Re: Recent Gaobot event Barbara Tibbs (Dec 24)
- Re: Recent Gaobot event Gary Dobbins (Dec 24)
- Re: Recent Gaobot event Ron Watts (Dec 30)