[unisog] IRC bot outbreaks

Anderson Johnston andy at umbc.edu
Wed Jul 24 22:26:32 GMT 2002


On Wed, 24 Jul 2002, Robert Dormer wrote:

> Hello all,
>
> I'm just curious to know - what experiences have you all had
> with backdoor trojans like netbus and subseven, and remote
> controlled IRC bots?  Specifically, have any of you suffered from
> large outbreaks of them, and if you did, how did you go about
> containing them and educating users and other administrators
> about them?
>
>
> Regards,
> Robert Dormer
>
>
>
>


We're crawling with them.  I use the daily reports from the NIDS and
Netflow to pick out the worst offenders bandwidth-wise, hunt them down (we
have a lot of address pools), and verify the compromise.

Many - half at least - suffer from bad Administrator passwords (like
"administrator") or none at all.  My current "express" procedure is to run
netstat -an and fport to identify the 'bots activity and location, then
their downloads, then anything else odd, get some directory listings,
gather any configuration files that look interesting, dump the registry
and event logs and the SAM file, delete the downloads, and shut off the
machine.

Then I tell the owner to re-install Windows.  This isn't always taken
well, but I make it a point to show the owner the downloaded
warez/games/movies/music/pr0n/etc., then point out that whoever set this
up could have done *anything* and that if something else happens we will
probably have to drop the machine from the network.  Then the talk about
good password practices, patches, etc. and the Help Desk phone number in
case they need help with the re-install.

If anyone has any good suggestions for user education, beyond using good
passwords, turning off shares, keeping up with patches and updating the
anti-virus sigs, please post them.  I would love to get something together
before the students get back.

<rant>
With the exception of a few mad scientists and their Linux boxes, most of
the Unix systems on campus have an identifiable admin who is on our
mailing list for security updates.

We maintain a similar list for Windows admins, but the majority of Windows
boxes don't really have an admin at all, just someone with the password.
It's a real problem getting the word out about good Windows security
practices.
</rant>

						- Andy


------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list