[Dshield] Is Mytob that bad?!?

David Vincent support at sleepdeprived.ca
Thu Jun 9 05:41:14 GMT 2005

Hi Eric!

Rest assured my system is clean.  In my professional life I'm the guy 
people call about these things.  :)   What with the irony of the 
situation and the timing of the emails, I just had to mail the list and 
send a shout out to those who made a difference.

There is more to my story of the cleanup, I simplified things a little 
for the list.  Mostly the usual stuff, checking for connections to 
suspicious servers with TCPView (great tip, Foundstone's Vision works 
too), full system scan with different antivirus engines and signature 
updates (symantec online scans, trendmicro online scans, etc for full 
paranoia relief), checks for new registry keys launching programs on 
startup (sysinternals' autoruns, or the "silent runners" script are my 
suggestions), all's good here.

Good advice for the greener members of the list though, and anyone out 
there who's lurking and taking notes.  We both know no matter how many 
times this sort of thing is said, it cannot be said enough.  More and 
more people everyday are discovering that surfing the net etc. means you 
need to think about security.  Then some of them even start turning to 
resources like this list for answers and education.  And most of them 
never check the archives.  :)


Eric Kedrosky wrote:

>Hash: SHA1
>After reading this post I felt that it was time to throw my hat into the
>"... told me about the symantec definition update ... i applied it and
>nailed the virus."
>I wouldn't be too confident that you nailed the virus 100%.
>The latest variants of MyTob, circulating for almost 3 weeks ... or more
>... all have had BotNet backdoors associated with them.  This means that
>when the virus is executed on your system it connects to an IRC server
><somewhere> on the Internet and checks in.  After that, the first thing
>that it usually does is download a *virus upgrade* and, in most of the
>MyTob variants that I have researched recently, downloads Spyware and
>Adware ... all of which your AV scanner doesn't detect.
>Furthermore, the virus will update itself as often as possible ... along
>with more spyware/adware .. from the BotNet.  Thus, it is actively
>staying one or two steps ahead of your AV scanner.
>Speaking of AV scanners, they can only detect what they know about.
>Thus, if the virus gets an update that your AV scanner doesn't know
>about then it won't find anything.  In one day I have submitted up to 5
>unique samples from one single infection point, all of which were
>unknown to a plethora of AV scanners.
>I honestly don't mean to single you out, that is not my purpose.  I
>would just like inform you, and anyone else, about how dangerous Bots
>really are.  I see this all the time, ppl get infected and use clean up
>tools from <an AV vendor> (insert the one you use here) but there
>infection doesn't go away.  They think it is gone b/c they don't see any
>outward sign of infection and then forget about it after a few days.  In
> 95% of the time, there is a Bot still lurking on the system, reporting
>home, getting updates, taking orders, fetching spyware/adware and who
>knows what else ... all under the nose of the AV software.
>All of that said, I am not sure what variant of MyTob that you were
>infected with, but a deeper inspection of your system might be worth
>while.  This can be easily done with programs like TcpView and/or
>Ethereal.  Shut down all apps the talk via the network and look for
>processes and/or traffic flows that are attempting to make connections.
>Ethereal is really good b/c you can view the TCP conversation instead of
>the raw packets.  If you still have a Bot you'll see it talking to the
>BotNet Controller ... look for "PING and "PONG", "JOIN #" and other IRC
>messages as well.

More information about the list mailing list