New variant of Gaobot?
eckman at umn.edu
Tue Dec 9 22:11:10 GMT 2003
What appears to be a new variant of Gaobot (KAV "Agobot") is making its
way through our University and others. Infected machines are seen
scanning hosts on 135/tcp and 445/tcp, presumedly looking to spread
itself. A co-worker downed quite a few of them over the past few days.
The one machine I've been looking at this afternoon has the following
characteristics (yours may vary):
1. It is connected to an IRC channel #!X!# on Brag-13-11.rh.ncsu.edu
(abuse at ncsu.edu has been notified). The server calls itself
"fix.owned.you". There are over 400 other clients on this IRC server,
presumedly all on that channel (protected by a key that I do not have yet).
2. It is scanning hosts on 135/tcp and 445/tcp. I have not seen the
payload that occurs when a successful TCP conversation is initiated nor
do I expect to ever be able to :-)
3. It has an FTP server listening on 14899/tcp. Telnet to that port and
220 "Welcome to Bot FTP service." (including quotes)
Keep pressing enter to see more statements. It makes it appear that FTP
is the transport method. (Port might be random)
4. It is, of course, Windows.
Look for hosts talking IRC to that IP address listed. I saw a number of
EDUs that had computers connected to that channel...
I have not gotten my hands on the software that is causing this. I just
wanted to send out an *early* warning for folks to start looking for
this behavior. As I mentioned, I saw several Universities that were
connecting to the IRC channel in question.
At this point, I am assuming that the IRC traffic, FTP server and port
scanning are all associated with the same malware. I do not have
evidence to prove it yet. Based on the look of the IRC server, it
doesn't look what I would call "friendly".
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
More information about the unisog