Problems with Away Messages?

Nick's note June 17th, 2004 - The BuddyGopher servers were never compromised, hacked, attacked, infected, etc. Thanks, John and Ryan, for being awesome with your security lock-downs. We only received this message as a result of crawling somebody's away message who was probably infected with the mentioned virus. The bad URL probably got marked up in the College of William and Mary's router traffic after the SysAdmins were searching to eliminate this URLs propagation. I appreciate the proactive efforts of Mr. Morledge to inform us of this formerly spreading threat. It says a lot about the College of William and Mary's I.S. department.

-----Original Message-----
From: Clarke Morledge
Sent: Friday, May 14, 2004 10:48 AM
To: 'abuse at wfu dot edu'
Subject: suspicious web server linked to large IRC botnet

Wake Forest Network Security Personnel,

We've been investigating the growth of an IRC botnet using a variant of
Agobot/Gaobot/Phatbot to propagate itself across numerous university
networks. Various reports suggest that anywhere from 10,000 to 60,000
systems have been part of this botnet, and that some keylogging software has
been involved. These are unconfirmed reports, but they are quite plausible.

The botnet uses a number of different propagation mechanisms, but it is most
successful in doing some social engineering. For example,
infected systems will masquerade AOL Instant Messenger "buddies" by
including a reference in away messages with something like:

i just made a screensaver! everyone check it out
http:/www.esynx.com/screensaver.scr click open to see it!!

The above mentioned file at the website is actually the malware used by the
botnet for rooting an unsuspecting system. An infected system then tries to
contact an IRC server (6667/tcp) at "sharp.esynx.net" to reach a control
server.

We have since contacted the appropriate authorites who have disabled
"www.esynx.com" and "sharp.esynx.net", so the botnet growth appears to have
stopped.

However, we have discovered a web server at 152.17.18.38 that is serving up
a page or pages that reference to the same malware link. We noticed this as
a number of infected systems had gone to this website with AOL Instant
Messenger only to be tempted to link to the malware page without knowing its
real content.

Unfortunately, I don't have a specific URL to give you, other than
http://demo.buddygopher.com. All I know is that the web server looks to be
a possibly unconfigured -- possibly hacked (?) Apache implementation.

Even though the botnet growth appears to have subsided, and assuming that
152.17.18.38 is within your administrative domain, you might be interested
in looking further into this.

I've included some other interesting information below. Thanks.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
757-221-1536
chmorl at wm dot edu

---------------------------------------------------

; <<>> DiG 9.2.2 <<>> demo.buddygopher.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32098
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;demo.buddygopher.com. IN A

;; ANSWER SECTION:
demo.buddygopher.com. 84212 IN A 152.17.18.38

;; AUTHORITY SECTION:
buddygopher.com. 1412 IN NS ns1.buddygopher.com.
buddygopher.com. 1412 IN NS ns2.buddygopher.com.

;; ADDITIONAL SECTION:
ns1.buddygopher.com. 170612 IN A 152.17.18.34
ns2.buddygopher.com. 1412 IN A 152.17.18.35

;; Query time: 3 msec
;; SERVER: 128.239.100.2#53(128.239.100.2)
;; WHEN: Fri May 14 10:45:47 2004
;; MSG SIZE rcvd: 122

return to NICKGRAY.NET or READ WHAT I'M READING