Hi guys.
Zotob, once infected, connects the machine to a botnet C&C (command & control) server.
Due to the extremely rapid spread of these worms, here is the C&C servers information that has been confirmed so far:
62.193.233.52:8080
84.244.7.62:8080
204.13.171.157:8080
62.193.233.4:8080
ASN | IP | Responsible Party
We haven't seen it yet on our network, but I was hoping somebody might have a text dump or packet capture of the C&C traffic that they would be willing to send me so I can tune our IDS to recognize it. I already have exploit rules loaded, just wanted to see if the C&C traffic varied significantly from the (relatively) standard *bot variety.
Thanks,
Michael Grinnell
Network Security Administrator
The American University
e-mail: grinnell@american.edu
Michael Grinnell wrote:
We haven't seen it yet on our network, but I was hoping somebody might have a text dump or packet capture of the C&C traffic that they would be willing to send me so I can tune our IDS to recognize it. I already have exploit rules loaded, just wanted to see if the C&C traffic varied significantly from the (relatively) standard *bot variety.
Hi.
Any IRC JOIN sig will do, channel is: #niggah
Gadi.
Michael Grinnell wrote:
We haven't seen it yet on our network, but I was hoping somebody might have a text dump or packet capture of the C&C traffic that they would be willing to send me so I can tune our IDS to recognize it. I already have exploit rules loaded, just wanted to see if the C&C traffic varied significantly from the (relatively) standard *bot variety.
Matt just got some signatures together:
http://www.bleedingsnort.com/article.php?story=20050814131513212
Enjoy,
Gadi.