Re: Worm activity/port 445

["Yantis, Jonathan Lindsey" <YantisJ () COFC EDU>]

This is agobot or one of the many many botnet variants.  They use
practically every exploit out there to spread and there are tons of
different versions.  Watching IRC is the easiest way to catch them.  We
discovered them on our network due to them launching DDoS attacks from
our network commanded by an IRC channel.  The two tools I use for
finding these bots are these commands on linux sniffing internet
traffic:

 

tcpdump -n -i eth1 tcp port 6667 or tcp port 6668 or tcp port 6669 or
port 7000

ngrep -q -d eth1 "JOIN \#" not tcp port 80 and not tcp port 25 and not
udp

 

The first one will get clients trying to connect on standard ports and
the second one will watch for IRC joins on non-standard ports.  When you
find the commanding IRC host put a block on outgoing to it and see what
it catches.  We found about 3 different variants on our network
connecting to three different IRC servers.  If you want to know more,
search botnets and agobot on google.

 

Hope this helps

 

PS: because of the sheer amount of different versions, AV will not
always catch nor be able to clean the boxes.

 

 -- Jonathan Yantis - yantisj () cofc edu - (843-953-7770)

________________________________

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joseph Vieira
Sent: Monday, February 07, 2005 11:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Worm activity/port 445

 

We have also been seeing a lot of this activity.  

            

            Open port 113 (IRC auth port) -- random userid

            Propagation via, unprotected windows files shareing and
lsass etc. vulnerabilities 

            I have also noticed UDP port 69 open and running tftp on a
lot of these machines 

            Various other symptoms 

Root kit's installed in %windir%/system32/drivers/etc 

                        IRC server running on one machine

                        

I port scan for TCP 113 and UDP 69 to identify potential infections, and
also watch for high volumes of traffic along port 6667

 

 

Joe Vieira                  

Desktop Security Analyst   

Information Technology Services 

Clark University             

508.793.7287

 

-----Original Message-----
From: Kevin Pait [mailto:kevin.pait () UNCP EDU] 
Sent: Friday, February 04, 2005 3:22 PM
Subject: Re: Worm activity/port 445

 

We've been fighting this problem for the past two weeks.  It seems that
the virus we have been afflicted with is an unknown variant of the
W32/Sdbot.worm.  The variant we have drops a virus called Qhost which
causes pc's to redirect away from common anti-virus sites, windows
updates, etc.  McAfee provided an extra.dat to try and combat the worm
but it hasn't worked well.  Their latest definition file has seemed to
rid the virus from some systems while others can't totally shake it.  It
has been very time consuming for our support staff as our only totally
successful recourse has been to format, reinstall, and apply updates
totally offline.  Check traffic on ports 135, 445, and 1025 - this is
how we have identified afflicted pc's.  Affected machines are W2000 and
XP - some having most of their updates and latest virus definitions in
place.  Good luck.

         

        
________________________________


        From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Craig Blaha
        Sent: Friday, February 04, 2005 2:55 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Worm activity/port 445

        We're seeing a lot of 445 scanning and an increasing rate of
infection - users complaining about a wide array of pop-ups, redirects
and other spyware type symptoms, slowing their systems to a crawl.
        
        Anyone else seeing something similar?
        
        Craig

        -- 

        Craig Blaha
        Associate Director
        Information Policy, Security and Web Development
        The College of New Jersey
        PO Box 7718
        Ewing, NJ 08628
        www.tcnj.edu 

        --------------------------------------------------------------
        Reminder: E-mail sent through the Internet is not secure.
        Do not use e-mail to send confidential information
        such as credit card numbers, changes of address, PIN
        numbers, passwords, or other important information.
        Your e-mail message is not private in
        that it is subject to review by the College, its officers,
        agents and employees.
        -------------------------------------------------------------- 

        ********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/. 

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/. ********** Participation and
subscription information for this EDUCAUSE Discussion Group discussion
list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.