Educause Security Discussion mailing list archives
Re: bestfriends.scr/*Bot
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Thu, 10 Feb 2005 08:44:22 -0600
What happens is those who use AIM will see a friend's away message that says "OMG LOOK http://www.anylink.com/bestfriends.scr !?!?!?!?!". People click on the link and the malware is downloaded to their system. The malware is a form of SD/Goa/WhateverBot and may open a backdoor on port 113/tcp or another port. The Botnet begins communicating to the compromised host via rBot commands (see http://www.angelfire.com/theforce/travon1120/RxBotCMDLIST.html . we have seen the command avscan issued to scan for vulnerable machines for lsass and the download command to drop malware on the host). The cycle continues as the compromised system seek to exploit more systems on local networks. Exploits are realized because of unpatched systems and weak/blank paswords. I have accessed some of the above "bestfriend" links and scanned the malware via http://virusscan.jotti.org . We use McAfee exclusive here at AU but the virus vendors are not keeping up with all the variants of this Botware... Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
wood () JUNIATA EDU 2/10/2005 7:51:56 AM >>>
Does this traffic appear to run on any particular port? I have two student computers sending traffic to this address to port 8080. Also, has Symantec added this to their definitions? I don't see any reference to this. Anne Wood Network Manager Juniata College 814-641-5310 -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson Sent: Tuesday, February 08, 2005 12:15 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] bestfriends.scr/*Bot Be on the lookout for this one as we continue to see this. There is a bleeding edge snort rule for bestfriends.scr. If you notice traffic going to 209.152.177.208, you probably have infected hosts on your network. This malware spreads via AIM (embedded URL in away message) and drops AgoBot/GoaBot/*Bot on the victim's host. There are several strains going around. More info can be found at http://www.jayloden.com/BestFriends.htm Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Attachment:
Mark Wilson.vcf
Description:
Current thread:
- bestfriends.scr/*Bot Mark Wilson (Feb 08)
- <Possible follow-ups>
- Re: bestfriends.scr/*Bot Wood, Anne M (wood) (Feb 10)
- Re: bestfriends.scr/*Bot Mark Wilson (Feb 10)
- Re: bestfriends.scr/*Bot Gary Flynn (Feb 10)
- Re: bestfriends.scr/*Bot Jeff Kell (Feb 10)