Re: Recent Gaobot event

[Yandro <yandro.chavez () ITESM MX>]

Would you be so kind to send it to me as well

Thanks in advance.
---
Yandro Chávez Rubio
Servicios de Seguridad de la Información
Vicerrectoria de Tecnologías de Información
Tecnológico de Monterrey
Tel:      +52 (442) 217-3892. Fax: (442) 217-3778
Mobile:  +52 (442) 281-0531
Intercampus:     80 VIT 4103, 80 QRO 3391
http://www.itesm.mx
--------------------------
El contenido de este mensaje de datos no se considera oferta, propuesta o
acuerdo, sino hasta que sea confirmado en  documento por escrito que
contenga la firma autógrafa del apoderado legal del ITESM. El contenido de
este mensaje de datos es confidencial y se entiende dirigido y para uso
exclusivo del destinatario, por lo que no podrá distribuirse y/o difundirse
por ningún medio sin la previa autorización del emisor original. Si usted no
es el destinatario, se le prohíbe su utilización total o parcial para
cualquier fin.
-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
Sent: Viernes, 24 de Diciembre de 2004 06:33 p.m.
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recent Gaobot event

Hopefully, I've replied individually with the sig to each person who's
asked on- and off-list (many have).  I'd initially written that I
would rather not post it to the list because the public nature of the
archives may make it too easy for a novice bot author to turn out a
new variant that the sig misses.

If few feel that risk remains, I'll be happy to post it here.


Barbara Tibbs wrote:
> Would you please pass it on to the whole list
>
> Thanks
>
>
>
> Barbara Tibbs
>
> Hampton University
>
> 757-728-6736
>
> barbara.tibbs () hamptonu edu
>
>
>
> ------------------------------------------------------------------------
>
> *From:* The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Michael Horne
> *Sent:* Tuesday, December 21, 2004 10:48 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Recent Gaobot event
>
>
>
> Would you be so kind to send it to me as well.
>
> Thanks in advance and Happy Holidays!
>
>
>
> Mike
>
>
>
> ------------------------------------------------------------------------
>
> *From:* The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Joseph Vieira
> *Sent:* Tuesday, December 21, 2004 9:40 AM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Recent Gaobot event
>
> Would you mind sending it to me as well?
>
> Joe Vieira
> Desktop Security Analyst
> Information Technology Services
> Clark University
> (508)-793-7287
>
>
>
> -----Original Message-----
> From: Gibbs, Aaron M. [mailto:AMGibbs () ST-AUG EDU]
> Sent: Monday, December 20, 2004 4:55 PM
> Subject: Re: Recent Gaobot event
>
> I would like it as well.
>
> Aaron M Gibbs
> Director
> Networking and Telecommunications
> St. Augustine's College
> Center for Information Technology
> 919-516-4237 (Office)
> 919-516-4382 (Fax)
> amgibbs () st-aug edu
> www.st-aug.edu
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Mark Wilson
> Sent: Thursday, December 16, 2004 3:39 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Recent Gaobot event
>
>
>
> Gary,
> I would like the snort sig as well.
>
> Mark Wilson
> GCIA, CISSP #53153
> Network Security Specialist
> Auburn University
> (334) 844-9347
>
> > > > dobbins () ND EDU 12/16/2004 11:08:23 AM >>>
> If anyone would like the SNORT sig we're using to sense 'bots phoning
> home
> for control instructions, just drop me a line.  Am not sure posting it
> here
> would be wise - too many lurkers who might like to subtly alter this
> overused variant to counter the sig.
>
> When this triggers an alert on your SNORT, the bot is just waking up
> and
> still benign (relatively speaking) and can be removed before the
> 'owner'
> wakes them up and uses them to do harm.
>
>
>
> H. Morrow Long wrote:
> >  Gordon -- Yes, we saw this, but it was for approx. the
> >  two weeks prior to last week. A number of PCs
> >  were hit with it and they began attempting to brute
> >  force the passwords for (all of ?) the accounts in our
> >  Active Directory.
> >
> >  We'd just implemented a domain account lockdown
> >  policy -- a short lockdown period -- after a somewhat
> >  high number of unsuccessful login attempts
> >  so we began to see the effects of the new lockdown
> >  policy kick into effect rather quickly (some users
> >  reported their accounts would lock out for the
> >  lockdown period).
> >
> >  The infected PCs would show up in the security
> >  event log of other computers and the active directory
> >  servers with high numbers of unsuccessful login
> >  attempts on various accounts.
> >
> >  - H. Morrow Long, CISSP, CISM
> >  University Information Security Officer
> >  Director -- Information Security Office
> >  Yale University, ITS
> >
> >
> >  On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote:
> >
> >     Is anyone else seeing any evidence of this on their campus?
> Like
> >     Boston College, we've been hit with this within the past two
> weeks,
> >     and at one point the traffic generated by machines attempting to
> >     phone home seriously affected our network performance.
> >
> >
> >
> >     Virus Steals Student Passwords: Boston College's campus network
> was
> >     hit by a virus that forced computers to guess at passwords that
> >     would provide access to other linked machines.
> >     /The Heights/
> >
> >
> >     Curiously, we've found little discussion of this elsewhere.
> >
> >     Gordon
> >
> >     ********** Participation and subscription information for this
> >     EDUCAUSE Discussion Group discussion list can be found at
> >     http://www.educause.edu/groups/.
>
> --
>
>    ------------------------------------------------------------
>    Gary Dobbins, CISSP -- Director, Information Security
>    University of Notre Dame, Office of Information Technologies
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> ********** Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ********** Participation and subscription information for this EDUCAUSE
> Discussion Group discussion list can be found at
> http://www.educause.edu/groups/. ********** Participation and
> subscription information for this EDUCAUSE Discussion Group discussion
> list can be found at http://www.educause.edu/groups/.

--

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.