[unisog] IRC bot outbreaks

Gary Flynn flynngn at jmu.edu
Fri Jul 26 01:37:09 GMT 2002


Robert Dormer wrote::

>
> I'm just curious to know - what experiences have you all had
> with backdoor trojans like netbus and subseven, and remote
> controlled IRC bots?


They pop up now and again. We had a bad experience with them back in
2000:
http://www.jmu.edu/computing/info-security/engineering/issues/wintrino.shtml 


>   Specifically, have any of you suffered from
> large outbreaks of them, and if you did, how did you go about
> containing them and educating users and other administrators
> about them? 

Education is the same for them as for any malicious code. People have to 
be made
to understand that malicious code running on their computer takes them, 
their
accounts, their privacy, and our network hostage.

I get in front of as many people as possible with a 90 minute presentation
based on RUNSAFE. The first 45 minutes I scare the hell out of people
by describing real events, current vulnerabilities, and possible 
repercussions.
The last 45 minutes I present the tools and knowledge needed to
operate a computer in an insecure world...to a receptive audience :)

Remote control BOT incidents are featured in the first 45 minutes
of the current presentation.

When we first started, we had a special presentation for IT folks with
demos. One of the demos went something like this:

Two computer screens projected on the wall.
On one computer, a forged email from "JMU Security" or a department head
warning of a new, rapidly spreading virus and urging the user to 
download the
Norton AV update attached to the email immediately.

The attachment was a bona fide Norton update executable with Subseven
attached. After it ran normally and everything looked fine I went to the
other computer where I had an email message waiting for me from
Subseven telling me I had another victim in my grasp.

Then I proceeded to grab login passwords from the victim, access
the Human Resource system from the victim's computer, use the
victim's computer as a pass through telnet session to another
host, etc. etc. etc.

Judging by the reaction, it seemed to be a helpful deterrent
to careless email attachment handling and a heads up on the risks of
remote control trojans like Subseven.

Students are the hardest to get the message to. I've been given lots
of opportunities to get in front of classes but only reach a small
percentage. We're going to schedule presentations in the residence
halls this year and we dropped a video clip on the CD we distribute
to students as part of our residential networking program.. We also
rewrote the material for our mandatory security awareness information
that everyone must at least click through when they change their
password:

http://www.jmu.edu/computing/security/sa/

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



More information about the unisog mailing list