Re: Fwd: URGENT: bot net with keylogger

["Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary Flynn wrote:

> I hope I didn't ruin somebody's investigation by posting that
> site info. I thought it might be important for people to
> know to block that site. I'm seeing incoming IM messages
> carrying that link on an ongoing basis now. Its hard to
> know when to keep quiet about sources and details to aid
> law enforcement and when to post information that may keep
> more machines from being compromised.

I hadn't disclosed that information publicly to the list because at the
moment it is the only static piece of intelligence on the botnet.  We've
shut the botnet down 3 times now already and "itr"'s determination at
keeping the network alive by changing IRC networks was what prompted
that decision.  We'll have to hope "itr" doesn't subscribe to EDUCAUSE-sec.

> Do you have any information on the traffic to the IDENT
> port? I assume its a remote control trojan of some sort.
> We can't block incoming IDENT outright because some sites
> won't let clients connect without it. The IDP is blocking
> IDENT traffic that is out of spec in some way but I'd
> like to get more info on the actual traffic to create
> a specific attack signature.

The IDENT traffic should be normal IDENT data.  It's commonly used on
IRC networks.  On that issue though, everyone needs to be watching for
inbound IDENT replies.  These replies are a decent litmus to determine
if you have a rogue IRCD on your network.

> Also, any details on keylog files? After looking for date
> related files and watching a Filemon output from the
> aim1.exe didn't turn up anything, I'm resorting to full
> disk searches for strings I know were sent out because
> they showed up in our snort logs. But I still haven't found
> anything. I guess next, I'll have to look at deleted files.
> Sorry to repeat myself but it sure would be nice to have
> a handle on what information was compromised if there is
> any additional information out there on format or location
> of keylog files.

There is no output of the keylog to the local disk. It all goes to the
channel.

Cheers,
- -Dave
- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office    |
|  Office of the VP for Information Technology, Indiana University   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAeuW5BIf6jlONJjIRAuIVAKCey6OMOSFxIouK3xlwlff/DmfBRgCdG2gW
XDp06tggBTw+VOp+Z9i2ueY=
=XeKU
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.