Re: new(?) windows irc ddos trojan

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Sat, 10 Mar 2001, Pete Schmitt wrote:

>       When it's running, a netstat -an shows the following (smb stuff left
> out for clarity):
> TCP     0.0.0.0:1029    0.0.0.0 listen
> TCP     0.0.0.0:113     0.0.0.0 listen
> TCP     192.168.1.2:1029 199.173.178.35 EST #this is dalnet.away.net

BTW, I don't know if you're aware.. Windows 9x has a problem with it's
Netstat reporting... it shows ports as "listening" that are in fact just
being used to make client connections.  I.e. you see the port 1029 is
being used to contact the dalnet server.  So, it's just listening on
ident, as you've noted.  Many IRC servers require ident for wahtever
reason before they will let you connect.

>       The 192.x.x.x address is my local NAT'ed address. I'm running behind a
> Linux-router project firewall box. Hence, our little friend couldn't
> complete his duties.

I suspect it could.. unless you block IRC out or it was trying to DCC
send, only.  Since it's acting strictly as a client, it was probably at
least able to "call home".

>       I have ethereal packet dumps of what it's up to. All I need is a place
> to send them.

I'll take a look.  Please send them to me off-list.  Did you manage to
capture any binaries?  Did I understand you to say that the machine has
been reformatted already?

                                        Ryan