AOL has cut off access to certain IP addresses from its instant messenger network in order to slow down the possible impact of a bot spreading over AIM.
"I will note that this started with a click happy user on AIM to the best of our knowledge," SANS diarist Scott Fendley wrote in the opening of the report.
The SANS Internet Storm Center posted about a submitted report on a bot making the rounds via AIM. The bot attempts to contact other bots and sites by using an encrypted P2P connection to port 8/TCP on machines.
"Flow analysis and/or tcpdump looking for mysterious port 8/TCP traffic seems to be the best way to detect these infections on your network," the report said, noting that the bot does not use DNS to find other Command & Control sites.
By using a test computer to observe the bot's behavior, the submitter noted its behavior. The bot tried to connect to 22 hardcoded IP addresses over port 8/TCP. "Since it tried to contact each of these many times, and not any other IP addresses, I feel it is fairly safe to guess it was not randomly selecting IPs to obscure "the real C&Cs"."
Symantec reported on its Security Response Site that the bot can propagate through email and over network shares.
Users and corporate admins should ensure their antivirus signatures are up to date. They can avoid potential exploits by verifying their systems have been updated with available patches to shut down any holes the bot could use to enter a system or a network.
http://www.securitypronews.com/news/securi...ariousBots.html