Security Incidents mailing list archives

Unidentified Trojan? -- Hope this helps

From: JamesWilson () THEPENTAGON COM (James Wilson)
Date: Fri, 19 May 2000 17:51:06 -0400


Richard Ginski wrote:

We have been monitoring some strange activity regarding a possible trojan on some of our systems. Unfortunately, this
explanation has to be long, in order to paint the whole picture:

1) We first noticed that there was a problem when we noticed that two of our INTERNAL DNS servers appeared to be
affected by DNS cache poisoning. It was stumbled on accidentally when someone entered a typo in a URL (ommitting a
":" when specifying a port number to one of our intranet sites) and was re-directed to a porn site: 216.65.124.73
(internalmachine.domain&portnumber). We figured it was cache poisoning because I could not fathom that the DNS
servers would "learn" a host address for which there are no root servers for.

2) I checked our firewall logs as to who may have also (involuntarily) been connecting to this IP address
(216.65.124.73) and found over 25 machines trying to connect to this site using different port numbers (not HTTP).
First, the machines used ping (we don't allow outbound ping), then used various ports. Finally, the machines just
tried to connect to this site using CIFS.

It appears that once the machines are turned on, the "trojan" activity would begin. We tried to narrow down what
could be causing this (activity went on for two days) then the activity ceased. Anti-virus software has always been
installed on these machines (Inoculan) and we manually scanned one of the machines just to make sure the real time
scanner did not miss anything. Nothing was found. The dates for which this occurred were 4/26 and 4/27. During those
two days were able to restart/login to these machines and watch the activity a sniffer as we tried to determine the
culprit.

3) We felt we had taken a number of precautions to prevent any further damage, including, notification when any more
attempts were made to connect to the IP address 216.65.124.73.

4) Well, it started happening again on Tuesday of this week (5/16) and continued till yesterday (5/17). It appears
that now the "destination port of choice" is TCP port 524 to the same IP address, for which I can not identify for
any type of service. Approximately, 25 machines (different machines than the machines before, on different network
segments) were affected. Unlike before, we could not reboot/login to these machines and cause them to make
additional connection attempts which seemed to stimulate the activity before.

5) Today (5/18), no connect attempts were made to 216.65.124.73. However, doing a search on destination port 524
revealed that machines are now trying to connect to some of our HTTP servers in our DMZ.

All of the machines affected are Windows based (95/98 and NT).

To the best of our knowledge, all attempts to connect to this outside address have failed due to our firewall.

Has anyone had any experience with this behavior? Can anyone identify TCP port 524?

Any input would be greatly appreciated!


As far as Win32 based Trojans go, its rather easy to hide a well known trojan (ex. SubSeven) one method would be to add 
extra junk to the end of the executable,  thus changing  the signature/parameters which will cause a scanner such as 
Inoculan or NAV to think its OK.  Have you scanned an entire range of ports (1-65553, may be more, but that's the limit 
that pops in my head) on a few of the machines to see if you get any suspicious responses ?

Bottom line is, you should check all of the startup files(WIN.INI, .... ) and your registry on your boxes for funky 
lines that start weird programs,  if its a name that you recognize, compare the size of that program to a trustworthy 
source (Win98 CD) and see what you get. if the size is different then you may have found the bug.  I know for one thing 
that SubSeven has all of the functions that would explain the symptoms that you are experiencing.

hope this helps,

    James Wilson

    Techsonic Industries
    Five Humminbird Lane
    Eufaula, Alabama 36027
    334-687-6613 Ext. 1187
    FAX: 334-687-1165

Current thread:

Unidentified Trojan? Richard Ginski (May 18)
- Unidentified Trojan? -- Hope this helps James Wilson (May 19)
- price.doc.exe illu5i0n () HUSHMAIL COM (May 19)
  - Re: price.doc.exe barry.net (May 22)
- Portscan X.Y.Z.100 - X.Y.Z.254, various ports Jens Hektor (May 20)
- Two scans (Klogin and a trojan?) Jose Nazario (May 21)
- Know Your Enemy: A Forensics Analysis Lance Spitzner (May 21)
- <Possible follow-ups>
- Re: Unidentified Trojan? Elliot Perrin (May 18)
- Re: Unidentified Trojan? Bill Royds (May 18)
- Unidentified Trojan? Richard Ginski (May 19)