Mike,
I received word of something similar from one of my opers on February 17th.
Ancient, an operator from irc.bigpond.com, notified irc.webchat.org's nohack
team about this:
<Ancient> just for your info a new trojan / drone is making rounds and it
may be hard to sport on CR
<Ancient> the ident = javauser
<Ancient> full name follows pattern 99999 1
<Ancient> the nicknames resemble first names and seem to be derived from
some nick dictionary
<Ancient> we run CR and we observed it growing very fast
<Ancient> few connections on saturday to 100s today
<Ancient> I noticed heaps of them on Undernet but they are too ignorant to
care
<Ancient> i posted an IRC CERT notice but it seems delayed
<Ancient> how many lines can I post here before getting done for flooding?
<Ancient> as I'm about to send a fragment of perl code that can detect this
bot, if you know how to code using net::irc
<Ancient> # exploit pattern ident:javauser real:99999 9
<Ancient> my (@realwords) = split(" ",$real);
<Ancient> if ($ident =~ /^javauser$/) {
<Ancient> if ($nickname !~ /^guest[[:digit:]]{5}$/i) {
<Ancient> if ($realwords[1] =~ /^[[:digit:]]{4,5}$/) {
<Ancient> if ($realwords[2] =~ /^[[:digit:]]{1}$/) {
<Ancient> &akill($self, $nickname, $host,"Exploit\:javauser");
<Ancient> } } } }
<Ancient> richard, if you got my previous info re:javauser trojan, there is
one more fact about it - it never seems to be using port 7000
You might want to consider subscribing to irc-cert at
http://cert-irc.cyberabuse.org/
Cheers,
Alex Lambert
irc.liveharmony.org
alambertat_private
Mike Parkin wrote:
> Not often I post to the list.
>
> Lately the IRC network I help run (away from work) has seen a large
> number of host connections with a pattern similar to numerous other
> trojan/malware infections that have an IRC element. Namely: Similar
> nicks, user@, and real name fields. In this case the nicks are all
> one
> of several similar patterns (repeats lead us to believe it may be
> chosen from a list), the User@ is always javauser@ (I haven't
> actually seen a legitimate java client with this ident, though there
> may well be one.)
> and the Real Name field is always a pattern of "nnnnn 1" where nnnnn
> is
> a five digit random number.
----------------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-incidents2
Download your free fully functional
trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 09:08:24 PDT