Educause Security Discussion mailing list archives
Re: bestfriends.scr/*Bot
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Thu, 10 Feb 2005 10:18:26 -0500
Wood, Anne M (wood) wrote:
Does this traffic appear to run on any particular port? I have two student computers sending traffic to this address to port 8080. Also, has Symantec added this to their definitions? I don't see any reference to this.
Symantec hasn't been exactly a stellar performer at identifying the more recent IRC-based bots (of which this is still one) but they're catching up.
Be on the lookout for this one as we continue to see this. There is a bleeding edge snort rule for bestfriends.scr.
And it works. Use it to find infected machines, and as Mark noted:
More info can be found at http://www.jayloden.com/BestFriends.htm
This is a good cleanup tool for the bestfriends variant (which infests AIM, in addition to the other bot-nastiness). The bleeding-snort rules will catch this and several other IRC-based bots either directly or indirectly. Several of the signatures contain packet tagging triggers. When you find a suspect alert, select the IP in question, search on source/dest = that IP, clear the signature, sort by time. You'll end up with fragments of the IRC dialogue, enough to tell if you are dealing with a bot or just a false positive. After evaluating the actual bot signature alerts, the sigs for IRC activity on non-standard ports is often helpful (extract the tagged flows as described previously). If you can block the upstream IPs (command and control), you render the infected machines almost inert, other than any scans in progress and startup nonsense they may perform on reboot. That leaves time for cleanup of the affected victims, and there will generally be several for each C&C since they will attempt to spread locally (scanning IPs starting with the same first two octets as the bot by default). Jeff ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- bestfriends.scr/*Bot Mark Wilson (Feb 08)
- <Possible follow-ups>
- Re: bestfriends.scr/*Bot Wood, Anne M (wood) (Feb 10)
- Re: bestfriends.scr/*Bot Mark Wilson (Feb 10)
- Re: bestfriends.scr/*Bot Gary Flynn (Feb 10)
- Re: bestfriends.scr/*Bot Jeff Kell (Feb 10)