On 14/12/06, David Gillett <gillettdavid@fhda.edu> wrote:
What I've got so far is that the 7654 IRC connection is
typical of the "SDBot" family of malware.
The number of infections has stabilized -- only one new
infected machine in the last three hours. That strongly
suggests that machines with up to date patches and/or
antivirus and/or non-blank passwords are probably immune,
which argues against the 0day hypothesis.
Sounds like a typical bot infection - you won't really know exactly
which until you can get a sample and analyze it. There are so many new
variants of bots coming out, a lot of AV won't recognise new ones, or
may simply report detection of a generic exploit. (I like
virustotal.com for checking up on suspect binaries.)
I saw quite a few of these incidents when I worked at a uni - the
initial infection was carried inside the perimeter on someone's
laptop and then spread to unpatched internal machines. I found the
bleeding snort sigs for IRC traffic pretty helpful, as well as the
portscan detection stuff.
cheers,
Jamie
--
Jamie Riden, CISSP / jamesr@europe.com / jamie.riden@gmail.com
NZ Honeynet project - http://www.nz-honeynet.org/
------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------------
