EH-Net

Anybody else see any significant activity?

We had quite abit and had to block access to 7 different IRC servers, most in Korea but some in China. It was based off of Rbot and issued commands to have the infected computers scan on both 139 and 445 for targets. It also spread via open or weak shares. The funny thing is that it had a rootkit component which was probably the easiest rootkit to remove that I've ever seen. It didn't make that many reg changes and was zapped instantly by our AV. Overall, it wasn't hardly able to do any damage to the machines, however did generate alot of noisy scan activity. Another unique thing about this bot was that it was running its IRC on channel on port 443 to try to hide in the normal SSL traffic, but it stood out like a sore thumb. ISC is reporting an NT version of this, however I'm thinking that its just a target of opportunity because its no longer supported. Hope you don't have any NT still running :-)

if you have NT running, you are just plain wrong...

Then many businesses are dead wrong. Some systems won't run on upgraded OSes. NT will be around for at least another 5 years. Until the systems go down due to an attack.

In my work at the university, we have a number of labs that are attached to older lab equipment that simply won't run on anything newer than NT. But the equipment still does viable work for the investigators. To mitigate problems, we have removed their NICs. They complain and insist that internet access is crucial. When we explain that it's either no network or no lab results, we quickly learn how internet access was optional and not essential.

So yes, there are still some valid uses of NT, but you have to be careful out there.

Don

yes those business are dead wrong and they shouldnt be on the net

Don, takes the right approach if you have a system that only runs on NT it shouldnt be on the net. 

guess i should have been a little more specific in my reply.  believe me i understand, work had to pay a couple of thousand dollars to have some build a "new" 486 P2 computer because the software would only run on Windows 98!  i didnt say NT wasnt useful but running any unsupported OS is a bad idea, IMO, from a security standpoint.  especially if they are tied to internal or trusted networks.  there are safe ways to do it but most people probably dont.