[unisog] IRC bot outbreaks

Andrea Tanner tanner at oakland.edu
Mon Jul 29 12:15:04 GMT 2002

I know I am coming late into this thread so sorry about that.  ;)  I am
new to the list; my name is Andrea and I manage the Helpdesk at Oakland
University in Rochester, Michigan.

We had this type of IRC and trojans outbreak in March/April/May or so and
it is continuing to this day.  :-P  We have a decentralized environment.
Here at the Helpdesk we had implemented a centralized Norton Antivirus Server
with clients that connect up to it.  Over the past 2 years we have been
adding clients as we find them (we tell staff and faculty if they want IT
Helpdesk support, they must have the client installed or risk having the
PC pulled from the network if it gets infected.  Only one person has
refused--and he has agreed to the policy and uses a stand-alone
anti-virus client).   The server can do remote scans ("sweep") on all
machines that are turned on (sometimes it will clean the viruses and
trojans and sometimes it can't...we review these sweep logs
& visit the PC where the trojans and viruses remain.  We also keep track
of who gets infected twice and recommend a format).  Starting in March
or so when we first noticed the attacks, we stepped up efforts to sweep
every 2 weeks and sometimes every week if we find a new set of trojans
that got past the real-time scanning.  That helps us to at least identify
what PCs were being compromised with these trojans.  We suspect weak
admin passwords, openly shared harddrives in some cases and/or a cracking
tool like Fluxoy (which we have got our hands on and are carefully
testing how it works).  Unfortunately, now it seems these creeps
are disabling the NAV Client communication with the server.  That is
something we started discovering last week.

When we get an infected machine, we always recommend that the PC be
formatted.  We cannot force people to do anything unless their PC is
using excessive bandwidth but the scare tactic that anything on the PC
could have been touched is usually enough to convince them.  If the PC has
something like FireDaemon running on it we always recommend a format.  If
it just has the trojans...we just remove it and look at the machine to see
if anything else is disturbed.  Then we watch for it to get infected
again.  Now we have to start watching to see if the PC stops connecting to
the central server as a clue the hackers got in and disabled the

Please note this is not a perfect solution--sometimes if people do not log
into the domain we have NO CLUE who it belongs to or where the pc is
located.  We try our best to find them.  Sometimes we will block the MAC
address and wait to have the user call us, using the idea that if their PC
is infected it might be infecting others (of course the savy users will
just replace the network card but that isn't too common of a problem).
With that explaination, users are pretty understanding when we shut thier
network access down without warning.  If they are not understanding, our
security admin talks with them and explains the risks.  It also helps
that our upper level administration is very supportive of our efforts.

We have recently installed a firewall and I am working with our security
admin to block some ports that they may be using to get in.  It will be
trial and error for some time, I fear.  We just keep plugging away at it!
We do not have an IDS or anything like SNORT running.  That is in the

Another thing we are trying to do is change all the administrator
passwords to something central and more sound.  We do not have active
directory domain structure yet so it is challenging.  If anyone is
interested I can let you know our progress.  One of my staff found a
dos type script to change passwords but some of the challenges are that if
the PC is turned off or we are not local admins on the PC, we cannot run
this script.  We are also not sure if the script produces a log.  In any
case we will be testing it in the next few weeks.  We figure it is better
than nothing, even if we only get 50% of the PCs changed that will
hopefully be less machines to clean off later.

Andrea Tanner Zsigo               | Manager, Helpdesk and Desktop Applications
tanner at oakland.edu                | IT Help Desk
217 DHE                           | Oakland University
248-370-4555                      | Rochester, MI, USA

On Wed, 24 Jul 2002, Robert Dormer wrote:

> Hello all,
> I'm just curious to know - what experiences have you all had
> with backdoor trojans like netbus and subseven, and remote
> controlled IRC bots?  Specifically, have any of you suffered from
> large outbreaks of them, and if you did, how did you go about
> containing them and educating users and other administrators
> about them?
> Regards,
> Robert Dormer

More information about the unisog mailing list