Re: bestfriends.scr/*Bot

[Jeff Kell <jeff-kell () UTC EDU>]

Wood, Anne M (wood) wrote:
> Does this traffic appear to run on any particular port?  I have two
> student computers sending traffic to this address to port 8080.  Also,
> has Symantec added this to their definitions?  I don't see any reference
> to this.

Symantec hasn't been exactly a stellar performer at identifying the more
recent IRC-based bots (of which this is still one) but they're catching up.

> Be on the lookout for this one as we continue to see this.  There is a
> bleeding edge snort rule for bestfriends.scr.

And it works.  Use it to find infected machines, and as Mark noted:

> More info can be found at http://www.jayloden.com/BestFriends.htm

This is a good cleanup tool for the bestfriends variant (which infests
AIM, in addition to the other bot-nastiness).

The bleeding-snort rules will catch this and several other IRC-based
bots either directly or indirectly.  Several of the signatures contain
packet tagging triggers.  When you find a suspect alert, select the IP
in question, search on source/dest = that IP, clear the signature, sort
by time.  You'll end up with fragments of the IRC dialogue, enough to
tell if you are dealing with a bot or just a false positive.

After evaluating the actual bot signature alerts, the sigs for IRC
activity on non-standard ports is often helpful (extract the tagged
flows as described previously).

If you can block the upstream IPs (command and control), you render the
infected machines almost inert, other than any scans in progress and
startup nonsense they may perform on reboot.  That leaves time for
cleanup of the affected victims, and there will generally be several for
each C&C since they will attempt to spread locally (scanning IPs
starting with the same first two octets as the bot by default).

Jeff

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.