Re: bestfriends.scr AIM virus

["Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>]

other common IRC networks of late are:

 o Hacked.net
 o Cronation.net

~cam.

> -----Original Message-----
> From: Cam Beasley, ISO 
> Sent: 2005, January 23, Sunday 14:24
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: RE: [SECURITY] bestfriends.scr AIM virus
>
> there are several greenpeace.org IRC servers.. 
> might want to be a little less specific:
>
> alert tcp $HOME_NET !21:80 <> $EXTERNAL_NET !80 
> (content:"greenpeace.org"; nocase:; tag:session, 20, packets; 
> msg:"Possible RogueIRC [GREENPEACE]"; classtype:trojan-activity; 
>
> several other IRC sigs apply as well..
>
> ~cam.
>
> Cam Beasley
> Sr. InfoSec Analyst
> Information Security Office
> University of Texas at Austin
> cam () austin utexas edu
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Discussion Group Listserv 
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of RLVaughn
> > Sent: 2005, January 22, Saturday 16:49
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] bestfriends.scr AIM virus
> >
> > Apologies for top posting:
> >
> > ---------
> > I've asked Gadi Evron to look into this.  He strongly suspects 
> > Albany.NYC.Greenpeace.org and it's currently associated IP of 
> > 81.91.66.220 to be a Command and Control for a bot drone army.
> > A rDNS search on the above IP yields ns1.mondomix-planet.com as the 
> > PTR record.
> >
> > Gadi supplies the following snort signatures and report of his 
> > detective work:
> > Snort:
> >         alert tcp any any -> any any (msg:"suspected 
> botnet/educause 
> > by Gadi Evron"; content: "Albany.NYC.Greenpeace.org";)
> >
> >         alert tcp $HOME_NET any -> 81.91.66.220 6667 
> (msg:"suspected 
> > botnet/educause by Gadi Evron";)
> >
> > IRC C&C session:
> > [19:04:28] *** Connecting to 81.91.66.220 (6667)
> > -
> > Welcome to the NYCNet IRC Network
> > |eS|00267! <snip by rlv>
> > Your host is Albany.NYC.Greenpeace.org, running version
> > Unreal3.2.2 This server was created Mon Jan 10 2005 at
> > 22:26:53 CET Albany.NYC.Greenpeace.org Unreal3.2.2 
> > iowghraAsORTVSxNCWqBzvdHtGp 
> lvhopsmntikrRcaqOALQbSeKVfMGCuzNT SAFELIST 
> > HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60 NICKLEN=30
> > CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 
> > WALLCHOPS WATCH=128 are supported by this server
> > SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ 
> > CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=NYCNet 
> > CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS 
> > CMDS=KNOCK,MAP,DCCALLOW,USERIP are supported by this server
> > -
> > There are 1 users and 580 invisible on 1 servers
> > -
> > Local host: <snip>
> > -
> > 1 operator(s) online
> > 67 unknown connection(s)
> > 3 channels formed
> > I have 581 clients and 0 servers
> > -
> > Current Local Users: 581  Max: 1014
> > Current Global Users: 581  Max: 1014
> > -
> > MOTD File is missing
> > -
> > [19:04:30] *** |eS|00267 sets mode: +iB
> > -
> > *** No one in your notify list is on IRC
> >
> >
> >
> > Regards,
> > Randal Vaughn
> > Professor
> > Baylor University
> >
> >
> >
> > Saturday, January 22, 2005, 12:44:42 AM, Brandie wrote:
> > ---------
> > > We have Tipping Point and at about 10:00 last night
> > multiple machines
> > > began doing user enumeration. By today they were hitting
> > ports 135 and
> > > 139 with login attempts, rpc scans, etc.
> > > We looked at 3 of the infected machines and found:
> > > 1) all Windows 2000
> > > 2) all had an entry under
> > > HKLM/software/microsoft/windows/currentversion/run and 
> /runservices 
> > > and the User tab of these two paths - titled WindowsSP2.exe
> > > 3) the %sysdir%/system32/ had a file named msgfix.exe
> >
> > > Once we had this information we found Sophos had it named
> > sdbot.QT and
> > > seems to be the only AV vendor with a signature for it.
> >
> > > On further Tipping Point inspection we found all the
> > infected machines
> > > and more to have received an IRC registration response 
> from one IP 
> > > address which we have since blocked at the border.
> >
> > > Thought I would send this info along in case it is relavent
> > and helps anyone.
> >
> > > Brandie Anderson, CISSP, MCSE, CNA
> > > Information Security Officer
> > > Texas Tech University
> >
> >
> >
> > > ________________________________
> >
> > > From: The EDUCAUSE Security Discussion Group Listserv on 
> behalf of 
> > > Jason Richardson
> > > Sent: Fri 1/21/2005 5:44 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] bestfriends.scr AIM virus
> >
> >
> >
> > > Just blocked about 20 machines doing the same thing on our
> > Res Net -
> > > all port 139.
> >
> > > ---
> > > Jason Richardson
> > > Manager, IT Security and Client Development Enterprise
> > Systems Support
> > > Northern Illinois University
> > > Voice: 815-753-1678
> > > Fax: 815-753-2555
> > > jasrich () niu edu
> >
> > > > > > brooksje () LONGWOOD EDU 1/21/2005 12:40:16 PM >>>
> > > Correction: it was port 139.  Started at 11:00 AM Eastern today.
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Discussion Group Listserv 
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jason Brooks
> > > Sent: Friday, January 21, 2005 1:19 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] bestfriends.scr AIM virus
> >
> > > Do you know if this one has any other characteristics to 
> watch for?
> > > We
> > > caught a dramatic increase in port 135 scans originating from the 
> > > RESNET this morning.  Before today, all was quiet, so I'm
> > wondering if
> > > there might be a connection.
> >
> > > Thanks,
> > > Jason Brooks
> >
> > > Jason Brooks
> > > Information Security Technician
> > > Longwood University
> > > 201 High Street
> > > Farmville, VA 23909
> > > (434) 395-2034
> > > mailto:brooksje () longwood edu
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Discussion Group Listserv 
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mark Wilson
> > > Sent: Friday, January 21, 2005 11:22 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: [SECURITY] bestfriends.scr AIM virus
> >
> > > Be on the lookout for this one as we are seeing a lot of
> > this.  There
> > > is a snort rule for it.
> >
> > > If you notice traffic going to 81.91.66.220, you probably have 
> > > infected hosts.
> >
> > > There are several strains going around as we have had to
> > update McAfee
> > > 3 times.
> >
> > > More info can be found at http://www.jayloden.com/BestFriends.htm
> >
> > > Mark Wilson
> > > GCIA, CISSP #53153
> > > Network Security Specialist
> > > Auburn University
> > > (334) 844-9347
> >
> > > **********
> > > Participation and subscription information for this EDUCAUSE 
> > > Discussion Group discussion list can be found at 
> > > http://www.educause.edu/groups/.
> >
> > > **********
> > > Participation and subscription information for this EDUCAUSE 
> > > Discussion Group discussion list can be found at 
> > > http://www.educause.edu/groups/.
> >
> > > **********
> > > Participation and subscription information for this EDUCAUSE 
> > > Discussion Group discussion list can be found at
> > http://www.educause.edu/groups/.
> >
> > > **********
> > > Participation and subscription information for this EDUCAUSE 
> > > Discussion Group discussion list can be found at 
> > > http://www.educause.edu/groups/.
> >
> >
> >
> > > **********
> > > Participation and subscription information for this EDUCAUSE 
> > > Discussion Group discussion list can be found at 
> > > http://www.educause.edu/groups/.
> >
> > **********
> > Participation and subscription information for this EDUCAUSE 
> > Discussion Group discussion list can be found at 
> > http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.