[unisog] Re: New variant of Gaobot?
Jon Karl Miyake
miyake at darkwing.uoregon.edu
Wed Dec 10 01:33:46 GMT 2003
Just a followup to Brian's posting. We have been seeing similiarly
infected machines on our campus. The network signature that is being used
locally to track infected hosts differs from the one seen by UMN. We have
not seen the "IRC channel #!X!# on Brag-13-11.rh.ncsu.edu" signature in
connection with local Gaobot infected computers. However I will
definitely start looking for it.
3-4 ports are normally open. Port numbering appears to be random and
payload?/daemon ports are not in any specific order.
Port A: 113/tcp (this port is not always open)
Port B: FTP Daemon with the following banner.
220 "Welcome to Bot FTP service."
331 Please specify the password.
230 Login successful. Have fun.
200 Switching to Binary mode.
200 PORT command successful
150 Opening BINARY mode data connection.
226 Transfer complete.
221 Goodbye, have a good infection :).
Port C: Will output a binary file upon connection (payload?)
Port D: Will output a binary file upon connection (payload?)
This virus will kill off regedit and anti-virus programs that are run.
Its is likely that similiar system utilities will likewise be affected. We
have had general success with putting the machine in safemode and then
running a anti-virus scan or manually removing the virus. There is an
indication from local tech support that Gaobot does not always use the
same file-payload naming scheme. This could be due to different variants
being found locally or attempts by the virus to escape detection.
Given the number of variants referenced by anti-virus vendors there is
chance that your mileage may vary.
voice #: (541) 346-1635
Computing Center Room 225
University of Oregon
On Tue, 9 Dec 2003, Brian Eckman wrote:
> OOPS - I made a mistake. The IRC server is Brag-13-17.rh.ncsu.edu
> Sorry about that,
> Brian Eckman wrote:
> > What appears to be a new variant of Gaobot (KAV "Agobot") is making its
> > way through our University and others. Infected machines are seen
> > scanning hosts on 135/tcp and 445/tcp, presumedly looking to spread
> > itself. A co-worker downed quite a few of them over the past few days.
> > The one machine I've been looking at this afternoon has the following
> > characteristics (yours may vary):
> > 1. It is connected to an IRC channel #!X!# on Brag-13-11.rh.ncsu.edu
> > (abuse at ncsu.edu has been notified). The server calls itself
> > "fix.owned.you". There are over 400 other clients on this IRC server,
> > presumedly all on that channel (protected by a key that I do not have yet).
> > 2. It is scanning hosts on 135/tcp and 445/tcp. I have not seen the
> > payload that occurs when a successful TCP conversation is initiated nor
> > do I expect to ever be able to :-)
> > 3. It has an FTP server listening on 14899/tcp. Telnet to that port and
> > you see
> > 220 "Welcome to Bot FTP service." (including quotes)
> > Keep pressing enter to see more statements. It makes it appear that FTP
> > is the transport method. (Port might be random)
> > 4. It is, of course, Windows.
> > Look for hosts talking IRC to that IP address listed. I saw a number of
> > EDUs that had computers connected to that channel...
> > I have not gotten my hands on the software that is causing this. I just
> > wanted to send out an *early* warning for folks to start looking for
> > this behavior. As I mentioned, I saw several Universities that were
> > connecting to the IRC channel in question.
> > At this point, I am assuming that the IRC traffic, FTP server and port
> > scanning are all associated with the same malware. I do not have
> > evidence to prove it yet. Based on the look of the IRC server, it
> > doesn't look what I would call "friendly".
> > Brian
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> "There are 10 types of people in this world. Those who
> understand binary and those who don't."
More information about the unisog