Educause Security Discussion mailing list archives
Re: Fwd: URGENT: bot net with keylogger
From: "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>
Date: Mon, 12 Apr 2004 13:53:45 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary Flynn wrote:
I hope I didn't ruin somebody's investigation by posting that site info. I thought it might be important for people to know to block that site. I'm seeing incoming IM messages carrying that link on an ongoing basis now. Its hard to know when to keep quiet about sources and details to aid law enforcement and when to post information that may keep more machines from being compromised.
I hadn't disclosed that information publicly to the list because at the moment it is the only static piece of intelligence on the botnet. We've shut the botnet down 3 times now already and "itr"'s determination at keeping the network alive by changing IRC networks was what prompted that decision. We'll have to hope "itr" doesn't subscribe to EDUCAUSE-sec.
Do you have any information on the traffic to the IDENT port? I assume its a remote control trojan of some sort. We can't block incoming IDENT outright because some sites won't let clients connect without it. The IDP is blocking IDENT traffic that is out of spec in some way but I'd like to get more info on the actual traffic to create a specific attack signature.
The IDENT traffic should be normal IDENT data. It's commonly used on IRC networks. On that issue though, everyone needs to be watching for inbound IDENT replies. These replies are a decent litmus to determine if you have a rogue IRCD on your network.
Also, any details on keylog files? After looking for date related files and watching a Filemon output from the aim1.exe didn't turn up anything, I'm resorting to full disk searches for strings I know were sent out because they showed up in our snort logs. But I still haven't found anything. I guess next, I'll have to look at deleted files. Sorry to repeat myself but it sure would be nice to have a handle on what information was compromised if there is any additional information out there on format or location of keylog files.
There is no output of the keylog to the local disk. It all goes to the channel. Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAeuW5BIf6jlONJjIRAuIVAKCey6OMOSFxIouK3xlwlff/DmfBRgCdG2gW XDp06tggBTw+VOp+Z9i2ueY= =XeKU -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- URGENT: bot net with keylogger REN-ISAC (Apr 05)
- <Possible follow-ups>
- Re: URGENT: bot net with keylogger Doug Pearson (Apr 05)
- Re: Fwd: URGENT: bot net with keylogger Doug Pearson (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger T. Charles Yun (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Krulewitch, Sean (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Kathy Bergsma (Apr 09)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Eli Dart (Apr 13)