Educause Security Discussion mailing list archives
Re: keylogger bots on #!!edu2k4
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Thu, 8 Apr 2004 17:54:01 -0500
While the following heuristic is trivial to change, the bots in these networks tend to have the following nick-naming schemes: [EDU]-###### ; (######= 3-5 numbers) Here's how a few keystrokes are presented: Enter = (Return) Tab = [TAB] Arrow Down = [Down] Change Windows = (Changed window) This might useful information to toss into your IDS. ~cam. Cam Beasley Information Security Office The University of Texas at Austin cam () austin utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 ---------------------------
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of REN-ISAC Sent: Thursday, April 08, 2004 09:31 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] keylogger bots on #!!edu2k4 Dear security@educause, IU IT Security Office engineers discovered a keylogger bot herd on a public IRC server, channel #!!edu2k4. The channel has been shutdown two times on different IRC networks. The channel is expected to resurface on another server. If you have the capability, you may wish to monitor local network traffic for #!!edu2k4, and clean identified clients. REN-ISAC was given a list of ~50 botted machines, we'll be directly contacting those sites. Regards, Doug Pearson Research and Education Networking ISAC http://www.ren-isac.net +1(812)855-3846 +1(812)325-3846 cell ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- keylogger bots on #!!edu2k4 REN-ISAC (Apr 08)
- <Possible follow-ups>
- Re: keylogger bots on #!!edu2k4 Cam Beasley, ISO (Apr 08)