[unisog] Infected windows boxes with IRC controlled trojans onthem

Mark Newman mnx at utk.edu
Thu Apr 11 19:52:56 GMT 2002


Why hasn't any EDU CERT organization or SANS commented on this? I realize 
this is *seemingly* the use of a well known vulnerability but, the kit's 
footprint has to be unique enough to be worthy of mention somewhere. I know 
it *resembles* GT/Bot.

The trojaned w32time.exe is also widespread enough to be worthy of mention. 
I've counted 8 or 10 organizations on this list that have seen 
this...everyone on 3/22?

We had machines on campus that were considered to be secure, had excellent 
admin passwords, and are managed by very competent admins that were still 
affected by the w32time.exe trojan. No way could they have cracked the 
passwords with a brute force attack and not be spotted. Something is odd 
about all this but, I don't know what it is yet.

Mark Newman
University of Tennessee



More information about the unisog mailing list