[unisog] Infected windows boxes with IRC controlled trojans onthem

Gerry Sneeringer sneeri at nts.umd.edu
Thu Apr 11 17:23:21 GMT 2002


Here at Maryland, we have seen quite a bit of this in recent days.  In our
case as well, each host was a win2k box w/ a weak or null administrator
password.

It appears that a worm passed through and in addition to the IRC bot,
also dropped an ftp server on tcp/22222 and an sshd on tcp/65300.  The IRC
bot establishes a connection with the #Gotwarez? channel and starts
advertising that it has zero files available for XDCC transfer.  At a
later point, a small number of Warez files (or DVD's) appear on the host.
The XDCC advertisement includes the string:
 "Fuck Milk...Gotwarez?"
A Snort pattern match on that string produced a number of hits within a
few minutes.

I crawled into the sewer (i.e. connected to #gotwarez?) and listed the
bots and found 83 .EDU hosts from 16 different domains active.  I'll be
dropping a note to each school as soon as I have a moment.

-Gerry

---
Gerry Sneeringer
IT Security Officer
University of Maryland, College Park
PGP key: http://nts.umd.edu/~sneeri/pgp.txt
PGP fingerprint: D8 31 14 26 3D 60 22 53 CB 12 A8 01 C0 BE BA 81




More information about the unisog mailing list