Educause Security Discussion mailing list archives
Re: Recent Gaobot event
From: Yandro <yandro.chavez () ITESM MX>
Date: Tue, 4 Jan 2005 10:49:33 -0600
Would you be so kind to send it to me as well Thanks in advance. --- Yandro Chávez Rubio Servicios de Seguridad de la Información Vicerrectoria de Tecnologías de Información Tecnológico de Monterrey Tel: +52 (442) 217-3892. Fax: (442) 217-3778 Mobile: +52 (442) 281-0531 Intercampus: 80 VIT 4103, 80 QRO 3391 http://www.itesm.mx -------------------------- El contenido de este mensaje de datos no se considera oferta, propuesta o acuerdo, sino hasta que sea confirmado en documento por escrito que contenga la firma autógrafa del apoderado legal del ITESM. El contenido de este mensaje de datos es confidencial y se entiende dirigido y para uso exclusivo del destinatario, por lo que no podrá distribuirse y/o difundirse por ningún medio sin la previa autorización del emisor original. Si usted no es el destinatario, se le prohíbe su utilización total o parcial para cualquier fin. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Viernes, 24 de Diciembre de 2004 06:33 p.m. To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Recent Gaobot event Hopefully, I've replied individually with the sig to each person who's asked on- and off-list (many have). I'd initially written that I would rather not post it to the list because the public nature of the archives may make it too easy for a novice bot author to turn out a new variant that the sig misses. If few feel that risk remains, I'll be happy to post it here. Barbara Tibbs wrote:
Would you please pass it on to the whole list Thanks Barbara Tibbs Hampton University 757-728-6736 barbara.tibbs () hamptonu edu ------------------------------------------------------------------------ *From:* The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Michael Horne *Sent:* Tuesday, December 21, 2004 10:48 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Recent Gaobot event Would you be so kind to send it to me as well. Thanks in advance and Happy Holidays! Mike ------------------------------------------------------------------------ *From:* The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Joseph Vieira *Sent:* Tuesday, December 21, 2004 9:40 AM *To:* SECURITY () LISTSERV EDUCAUSE EDU *Subject:* Re: [SECURITY] Recent Gaobot event Would you mind sending it to me as well? Joe Vieira Desktop Security Analyst Information Technology Services Clark University (508)-793-7287 -----Original Message----- From: Gibbs, Aaron M. [mailto:AMGibbs () ST-AUG EDU] Sent: Monday, December 20, 2004 4:55 PM Subject: Re: Recent Gaobot event I would like it as well. Aaron M Gibbs Director Networking and Telecommunications St. Augustine's College Center for Information Technology 919-516-4237 (Office) 919-516-4382 (Fax) amgibbs () st-aug edu www.st-aug.edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Mark Wilson Sent: Thursday, December 16, 2004 3:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Recent Gaobot event Gary, I would like the snort sig as well. Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347dobbins () ND EDU 12/16/2004 11:08:23 AM >>>If anyone would like the SNORT sig we're using to sense 'bots phoning home for control instructions, just drop me a line. Am not sure posting it here would be wise - too many lurkers who might like to subtly alter this overused variant to counter the sig. When this triggers an alert on your SNORT, the bot is just waking up and still benign (relatively speaking) and can be removed before the 'owner' wakes them up and uses them to do harm. H. Morrow Long wrote:Gordon -- Yes, we saw this, but it was for approx. the two weeks prior to last week. A number of PCs were hit with it and they began attempting to brute force the passwords for (all of ?) the accounts in our Active Directory. We'd just implemented a domain account lockdown policy -- a short lockdown period -- after a somewhat high number of unsuccessful login attempts so we began to see the effects of the new lockdown policy kick into effect rather quickly (some users reported their accounts would lock out for the lockdown period). The infected PCs would show up in the security event log of other computers and the active directory servers with high numbers of unsuccessful login attempts on various accounts. - H. Morrow Long, CISSP, CISM University Information Security Officer Director -- Information Security Office Yale University, ITS On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote: Is anyone else seeing any evidence of this on their campus?LikeBoston College, we've been hit with this within the past twoweeks,and at one point the traffic generated by machines attempting to phone home seriously affected our network performance. Virus Steals Student Passwords: Boston College's campus networkwashit by a virus that forced computers to guess at passwords that would provide access to other linked machines. /The Heights/ Curiously, we've found little discussion of this elsewhere. Gordon ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Recent Gaobot event Yandro (Jan 04)