Security Incidents mailing list archives
Follow-up on the Botnet incident.
From: "PARKIN, MICHAEL M (PBI)" <mparkin () PBI NET>
Date: Mon, 14 Aug 2000 14:11:52 -0500
Several people have written me back, and I thank them. The incident with the bots continued over the course of the weekend, and we are still getting a trickle of them even now. No where near the connection rates were seeing before, and the number of different hosts has dropped dramatically. We gleaned some more information during the course of the incident. One of our admins was able to ascertain which channel the bots were going to, which let us get a better handle on the traffic they were sending. Notably, these did not appear to be Sub7's (as I mentioned in my first post) and they were all sending encrypted data to the channel. We've got extensive logs of the encrypted traffic and were able to make some headway on identifying the crypto method they used. We were able to determine that the bots would respond to CTCP requests, and would echo an encrypted version of the CTCP traffic to the channel. If anyone is interested in playing some crypto games, I can give you what we've logged. Several hours after we identified the channel (quite some time after my initial post) someone 'took over' one of the bots and talked to us in channel. He claimed this was an experiment by one of his friends to determine how big a botnet they could make, and he said he'd relay our request to remove the bots from our Net. (Politeness counts!) As the bot traffic has dropped off, we're guessing he honored our request. My lasting questions are these. 1: What Windows trojan/bot encrypts to channel? Every bot we looked at was a Windows box, and the CTCP Version reply came back mIRC. Though this is easy to fake. 2: What is the likely infection vector for these things? (We found open shares in some cases, and evidence of the network.vbs worm in one case, but ONLY one case of the 50 or so we examined) Some from of email worm? A mirc script virus? Something else? 3: How to defend against them? Like any other DDoS, I'm sure defense is difficult, but if these bots are anything like Sub7 (in fact, I realize they may be a new variant of Sub7) it may be possible to disinfect the hosts. Comments? Thanks in advance. Mike Parkin Network Reliability Center SBC Internet Services 415.442.5108
Current thread:
- Follow-up on the Botnet incident. PARKIN, MICHAEL M (PBI) (Aug 15)
- <Possible follow-ups>
- Re: Follow-up on the Botnet incident. Pierre Vandevenne (Aug 18)
- Re: Follow-up on the Botnet incident. PARKIN, MICHAEL M (PBI) (Aug 18)