[unisog] Fwd: URGENT: bot net with keylogger

Phil Rodrigues phil.rodrigues at nyu.edu
Wed Apr 7 15:46:15 GMT 2004

I would contact the REN-ISAC for info about the current and past 
master servers.  I know they have a list of all of the IRCDs that 
have been active, but I am not sure if they want to share that on a 
public list.  That URl has been resolving to a few different master 
servers in the day I have been aware of it.

They can be reached at:


I do know the masters servers that have been active here have all had 
3410/tcp open, which amap thought was:

matches msdtc

"msdtc - msdtc.exe - Process Information
Process File: msdtc or msdtc.exe
Process Name: Distributed Transaction Coordinator
Description: Application that is loaded into the system by Microsoft 
Personal Web Server and Microsoft SQL Server. The service is used to 
manage transactions across multiple servers."

I also know that the slave bots had this in common (all info from 
Doug Pearson of REN-ISAC):

"We can confirm the TCP port 8040. We have unconfirmed information 
from a third party:

- The file that carries the virus is C:\windows\system32\mssmgrd.exe 
which is a hidden file 70KB in size

- First it attempts to resolve et.bestexploiters.com

- Next it contacts each of the hosts that resolve to this on TCP port 
8040 from TCP port 1219

- Each host that replies does so on TCP 8040 back to TCP 1219

- It then tries to contact all hosts on the local workgroup/domain 
and enumerate shares (it may do an ARP discover prior; difficult to 
derive from one capture)

- Next it attempts to connect to the hosts that replied to LANMAN 
requests via IPC shares (and probably others)

- Throughout, UDP port 69 remains open on the infected host for TFTP

Other advice is to aggressively track down compromised hosts and 
assume that any account/password, credit card, or other information 
that has been keyed into a compromised host is now in the hands of 


>	Would you have the IP of et.bestexploiters.com handy? It is currently
>resolving here to but given its previous value I can look for
>compromised machines contacting that address in our argus logs from the past.
>Peter Van Epp / Operations and Technical Support
>Simon Fraser University, Burnaby, B.C. Canada
>On Mon, Apr 05, 2004 at 07:13:14PM -0400, Phil Rodrigues wrote:
>>  Passing this along...
>>  >From: REN-ISAC <dodpears at INDIANA.EDU>
>>  >Subject: [SECURITY] URGENT: bot net with keylogger
>>  >Dear all,
>>  >
>>  >Security engineers at Indiana University have been involved in local
>>  >discovery and investigation with others regarding a rapidly growing
>>  >and particularly threatening bot network. Of URGENT CONCERN is that
>>  >the client contains a keystroke logger. All keystrokes on the
>>  >compromised machines are transmitted to a controlling IRCD. We've
>>  >been able to observe traffic to one of at least 15 controlling
>>  >IRCDs. That one IRCD was in control of over 12,000 clients. On the
>>  >face, it appears that the network grew to that size in much less
>>  >than one day, and 12,000 may represent just 1/15th of the network.
>>  >We're in process of collaborating with other groups in analysis.
>>  >There's no information to share regarding infection vector just yet.
>>  >In the meantime, a useful and highly recommended response is for
>>  >institutions to immediately locally block the DNS name that clients
>>  >use to contact the IRCDs: et.bestexploiters.com. If you're able to
>>  >log DNS requests you should be able to identify local compromised
>>  >hosts. The REN-ISAC will be directly contacting the institutions
>>  >home to observed compromised machines, and will provide
>>  >host-specific information.
>>  >
>>  >Regards,
>>  >
>>  >Doug Pearson
>>  >Director, REN-ISAC
>>  >http://www.ren-isac.net
>>  >+1-812-855-3846
>>  >+1-812-325-3846 cell
>>  >
>>  >**********
>>  >Participation and subscription information for this EDUCAUSE
>>  >Discussion Group discussion list can be found at
>>  >http://www.educause.edu/cg/.

More information about the unisog mailing list