[unisog] IRCd 6667 followed by 445 SYN scan

Johannes Ullrich jullrich at euclidian.com
Fri Apr 4 11:51:08 GMT 2003

> > Any one else seeing compromised machines that are doing outbound SYN
> scans port 445 and are under control via irc port 6667?  blocking the
> 6667 traffic stops the scanning.  Compromised hosts show positive
> infection of W32Kwbot.E.Worm as per NAV but forensics show this as a
> different virus/worm. I have confirmed this is not Deloder or Netspree as
> well.

hehe... just updated our 'daily headline' at isc.sans.org yesterday
to warn about this. 

This kind of IRC bot building is the 'game of the day' these days.
Recently, using open Win2k file shares has become very popular.
As far as I can tell, different 'crews' use similar 'bots' which
they adjust for their purposes. But the basic principle is always
the same in that the infected machines will join an IRC channel and
soon after they will be instructed to scan for more victims. 

The vulnerabilities I see them scan for are
- open file shares (by far #1 method these days)
- SubSeven infected machines
- mssql servers without password

If you want to avoid 80% of your "bot headaches" by closing port 445 
on your perimeter.

If you can't close port 445, please send me copies of any malware
you capture. I am trying to start a little 'bot zoo' and trying to
shut down some of the control servers as part of the ISC effort.

(note: send malware as a zip file with password 'infected' to 
prevent stripping by AV filters)

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the unisog mailing list