This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
This event indicates that a host has been infected with a Phatbot/Gaobot/Agobot worm, and has joined a bot network on an IRC channel while listening for bot-specific commands that are embedded in normal IRC conversation.
The remote attacker can then issue commands over IRC to the infected host(s) on the bot network, which includes any of the following:
- Scan and exploit hosts on the subnet/network for multiple vulnerabilities and copy itself to the exploited machines.
- Dynamically update itself.
- Reboot, shutdown, and log off the infected host.
- List and kill processes and services.
- Insert and delete services to the scm and autostart entries.
- Steal CD keys for various games, Windows keys, lists of email addresses, and registry settings.
- Download and execute files using HTTP and FTP.
- Start an HTTP, HTTPS, and SOCKS proxy on a specified port. Redirect specified TCP and GRE ports to another host(s).
- Execute a DDOS attack on another host.
- Make the infected host secure/unsecure by disabling/enabling DCOM and shares.
- Execute a command with system(), open a file, execute a .exe file.
- Get system information.
- Resolve a DNS address, delete the DNS cache.
Lately some variants of Gaobot have started using P2P networks to communicate. It uses a modified version of the WASTE P2P system to communicate. Upon execution, the infected host connects to hard-coded Gnutella caching servers, which contain a list of listening hosts as well as alternate cache server URLs.
The cache server returns a list of listening hosts. The infected host parses the list for hosts listening on port TCP 4387, which are hosts assumed to be part of the Phatbot P2P network. These are assumed to root nodes, and it connects to these root nodes to begin accepting P2P traffic. The infected host could also be a root node based on bandwidth calculations involving sending large packets and measuring response time to preconfigured sites. If it is the root node, a listener is opened on port 4387 for other phatbot clients to connect.
The actual behavior of the WASTE P2P protocol is closely related to the IRC from a user's perspective. The infected host joins a specified channel and listens for commands to trigger on.
- All Windows and some distributions of Linux
It has been observed that the variants use one of the following vulnerabilities to propagate. It is essential to remediate these vulnerabilities to disable future infections.
1) The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
2) The WebDav vulnerability (described in Microsoft Security Bulletin MS03- 007) using TCP port 80.
3) The Workstation service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply MS03-049.
4) The Microsoft Messenger service buffer overrun vulnerability (described in Microsoft Security Bulletin MS03-043).
5) The Locator service vulnerability (described in Microsoft Security Bulletin MS03-001) using TCP port 445. The worm specifically targets Windows 2000 machines using this exploit.
6) The UPnP vulnerability (described in Microsoft Security Bulletin MS01-059).
7) The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
8) The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 139 and 445.
9) The worm may also exploit the backdoors of Beagle and Mydoom families of the worm.
10) Some variants of the worm exploit the Dameware Remote Control Server vulnerability described in CAN-2003-1030.
For Microsoft patches, see: Microsoft Windows UpdateMicrosoft Security Homepage