[unisog] sudden increase in NetBIOS probes
rmulyadi at arizona.edu
Thu Jun 10 06:14:54 GMT 2004
We also have been seeing an increased amount of 445 traffic here in this
last week or so.
Here are some observations we have collected so far.
Although it is a very korgo-like activity (scanning for port 445, some
listen on port 113/others don't, reporting back to some IRC server), it
doesn't seem to be detected by the anti virus software yet. We just
sent a sample to Sophos.
So far, we find them by looking at the existence of
"[LSASS_Eng]:.Exploiting.IP" string in the conversation between the
infected machine and the IRC server.
Also, the name of the backdoor file found on our machines is called
SIRT - University of Arizona
Peter Van Epp wrote:
> Looks like the new version hit here over night too :-). Another 18 or
>so machines gone for scanning, and probably a number more when I get time from
>meetings-the-practical-alternative-to-doing-anything-useful and process the
>argus logs. Here it looks like they were forming up a botnet. There is an
>undernet IRC connection followed by about 1/2 hour of scanning for port 445
>from those 18 hosts of then they went away. Because of the router blocks the
>scans won't make it off campus and it looks like the attacker discovered that
>and stopped trying to use ours (at least so far, other scans would still work
>fine until I see them). A quick look at argus indicates more machines joining
>the IRC channel than were scanning out (although that may not be correct, it
>was a quick look), but anyone joining the channel but not whacked will get
>that corrected ... The first couple of cleaned machines are reporting:
>- w32.spybot.worm (running)and,
>- w32.korgo.f - executable found but not running
>I assume the first started the second to join the IRC channel.
>Peter Van Epp / Operations and Technical Support
>Simon Fraser University, Burnaby, B.C. Canada
>unisog mailing list
>unisog at lists.sans.org
More information about the unisog