I'd love to get my hands on a copy of the trojan being used.. Often they are bounced to a redirect, then to a server. This trojan (javauser ident) is indefinitely a spawn of GT or some sort. I've seen Litmus, [sd], and GT take this setup, with the javauser.. Check if the machines connecting are vulnerable to Netbios, they are often vulnerable to netbios because currently its the only way Botnet Farmers are spreading their net.. I've seen different ways, however. If you have any further questions, you may contact me at vex86at_private Best Regards, Richard On Thu, 2003-04-10 at 20:55, Alex Lambert wrote: > Mike, > > I received word of something similar from one of my opers on February 17th. > Ancient, an operator from irc.bigpond.com, notified irc.webchat.org's nohack > team about this: > > <Ancient> just for your info a new trojan / drone is making rounds and it > may be hard to sport on CR > <Ancient> the ident = javauser > <Ancient> full name follows pattern 99999 1 > <Ancient> the nicknames resemble first names and seem to be derived from > some nick dictionary > <Ancient> we run CR and we observed it growing very fast > <Ancient> few connections on saturday to 100s today > <Ancient> I noticed heaps of them on Undernet but they are too ignorant to > care > <Ancient> i posted an IRC CERT notice but it seems delayed > <Ancient> how many lines can I post here before getting done for flooding? > <Ancient> as I'm about to send a fragment of perl code that can detect this > bot, if you know how to code using net::irc > <Ancient> # exploit pattern ident:javauser real:99999 9 > <Ancient> my (@realwords) = split(" ",$real); > <Ancient> if ($ident =~ /^javauser$/) { > <Ancient> if ($nickname !~ /^guest[[:digit:]]{5}$/i) { > <Ancient> if ($realwords[1] =~ /^[[:digit:]]{4,5}$/) { > <Ancient> if ($realwords[2] =~ /^[[:digit:]]{1}$/) { > <Ancient> &akill($self, $nickname, $host,"Exploit\:javauser"); > <Ancient> } } } } > <Ancient> richard, if you got my previous info re:javauser trojan, there is > one more fact about it - it never seems to be using port 7000 > > You might want to consider subscribing to irc-cert at > http://cert-irc.cyberabuse.org/ > > > > Cheers, > > Alex Lambert > irc.liveharmony.org > alambertat_private > > Mike Parkin wrote: > > Not often I post to the list. > > > > Lately the IRC network I help run (away from work) has seen a large > > number of host connections with a pattern similar to numerous other > > trojan/malware infections that have an IRC element. Namely: Similar > > nicks, user@, and real name fields. In this case the nicks are all > > one > > of several similar patterns (repeats lead us to believe it may be > > chosen from a list), the User@ is always javauser@ (I haven't > > actually seen a legitimate java client with this ident, though there > > may well be one.) > > and the Real Name field is always a pattern of "nnnnn 1" where nnnnn > > is > > a five digit random number. > > > > ---------------------------------------------------------------------------- > Is SPAM over-loading your e-mail server, disk space or bandwidth? > SurfControl E-Mail Filter is flexible, intelligent and policy-driven > protection. > http://www.securityfocus.com/SurfControl-incidents2 > Download your free fully functional > trial, complete with 30-days of free technical support. > Stop SPAM before it stops you. > ---------------------------------------------------------------------------- > ---------------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-incidents2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Apr 15 2003 - 09:41:40 PDT