Re: Fwd: URGENT: bot net with keylogger

[Eli Dart <dart () NERSC GOV>]

In reply to "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU> :

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gary Flynn wrote:
>
> > I hope I didn't ruin somebody's investigation by posting that
> > site info. I thought it might be important for people to
> > know to block that site. I'm seeing incoming IM messages
> > carrying that link on an ongoing basis now. Its hard to
> > know when to keep quiet about sources and details to aid
> > law enforcement and when to post information that may keep
> > more machines from being compromised.
>
> I hadn't disclosed that information publicly to the list because at the
> moment it is the only static piece of intelligence on the botnet.  We've
> shut the botnet down 3 times now already and "itr"'s determination at
> keeping the network alive by changing IRC networks was what prompted
> that decision.  We'll have to hope "itr" doesn't subscribe to EDUCAUSE-sec.

Hmmm....if this list is going to be used for real-time (or
quasi-real-time) discussion of operational security issues and
incidents, subscriptions _must_ be vetted.  Otherwise, the attackers
will be able to see what you do as you do it.  If they can't now,
it's only a matter of time till they figure it out.

Not sure what the criteria should be for subscription (I2 member?
Connected to I2?  R&E Network infrastructure?).....  I only fit into
the last category (NERSC networking and security -- NERSC is a DOE
entity, but having cross-pollination is a Good Thing in my book).

Anyway, I could be off in left hyperspace here, but Gary's comment
made me think the issue worth raising....

                --eli




**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: _bin
Description: