Security Basics mailing list archives

RE: New trojan turns home PCs into porno Web site hosts

From: "D N Vaidya" <dnvaidya () rilinfo net>
Date: Thu, 24 Jul 2003 09:34:42 +0530

I think after studing how this system works now we need to concentrate on
how to protect inocent users from this. According to me everybody who is
using this type of Internet connections should use personal firewall
freeware applications to protect themselves. Either user should upgrade
themself in this in this matter or service provider should make user aware
of it. Also if user is using Win2K server or professional then it installs
IIS bydefault. So again threat of Nimda is there. For SQL server threat of
Slammer attack is there.

So i think best option to protect ourself while using this service we need
to have strong Antivirus installed also personal firewall with ANY deny in
inward direction rule and upgrade the OS with latest patches and hotfixes
can give 90% protection from these type of threats.

"Security Focus can and will do the different"

Sincerely,
D.N.Vaidya


-----Original Message-----
From: James Fields [mailto:jvfields () tds net]
Sent: Tuesday, July 15, 2003 10:33 PM
To: james () tuksfm co za
Cc: security-basics () securityfocus com
Subject: RE: New trojan turns home PCs into porno Web site hosts


The original poster said that on the DNS servers are running on *other*
computers - but didn't say if he switches DNS every so often.  He also
said the TTL on those DNS entries is only about 10 minutes, so actually
switching the web sites *should* work assuming that other DNS servers
respect the way TTLs are supposed to work.

On Mon, 2003-07-14 at 02:35, James wrote:

I have a question, since I don't know as much as I'd like to about the
way the internet works...

You said that the victim'm machine runs a DNS. But wouldnt you have to
wait for other Domain Name Servers to update before the page would be
viewable, like the ISP's DNS and the DNS's pointing to that one and so
on. That takes +/- 24Hrs doesn't it....?

So how can the page remain viewable if it changes hosts every 10
minutes..???

_James




On Mon, 2003-07-14 at 20:07, Paul Kurczaba wrote:

What is the name of the virus? Is it described on mcafee.com or
symantec.com?

Paul

-----Original Message-----
From: David Vertie [mailto:verticalrave () hotmail com]
Sent: Sunday, July 13, 2003 2:45 AM
To: ge () egotistical reprehensible net; security-basics () securityfocus com
Subject: RE: New trojan turns home PCs into porno Web site hosts

You are right ge. The scans on ADSL lines and cable lines are annoying.

have ADSL here, and on the first day, I connected my Linux box to the
internet and loaded its filtering rules, I was seeing a huge influx of
scans
coming to my box with spoof packets, attempted teardrop attacks and some
weird stuff too.

Can't say I saw it coming. Lots of home PCs are connected to the

internet

get themselves cracked because they aren't very protected, and as a
result,
cause a nice percentage of problems on the internet.

About the real issue at hand. Report it to authorities, and try to find
the
ISPs of the home IPs being used and see if they will help out. That is
about
all that I can add to ge's post.

David

From: "ge" <ge () egotistical reprehensible net>
To: "'BUGTRAQ@SECURITYFOCUS. COM'" <BUGTRAQ () SECURITYFOCUS COM>
Subject: RE: New trojan turns home PCs into porno Web site hosts
Date: Fri, 11 Jul 2003 22:05:33 -0700

Some individual appears to have hijacked more than a 1,000 home

computers starting in late June or early July and has been installing a
new trojan horse

program on them.


Let us consider ourselves lucky. That is an extremely low number.

To make it more difficult for these web sites to be shut down, a

single home computer is used for only 10 minutes to host a site.  After
10 minutes, the IP address of the Web site is changed to a different
home

computer.  The hacker is able to do this quick switching because he

has installed DNS name servers for his domains on other home computers
under his control.  The DNS name servers specify that a hostname

to-IP-address mapping should only live for 10 minutes.


As I see it, someone in the states should file a complaint with the FBI
(if one has not already been charged) and they can handle this guy. If
not, the best way, as I see, it is to check where the Trojan gets the
information it uses from, a.k.a. where it connects. Should give you the
right IP for abuse mail. If you get rid of that one IP, you effectively
get rid of the thousand infected machines.

Some of the domain names used by the Web sites of the trojan are:

   onlycoredomains.com
   pizdatohosting.com
   bigvolumesites.com
   wolrdofpisem.com
   arizonasiteslist.com
   nomorebullshitsite.com
   linkxxxsites.com


Here's a place to start with the abuse mails, find out what ISP hosts
them and cross your fingers they won't send your emails to /dev/null.

It is not known at the present time how the trojan gets installed on

people's computers.  My theory is that the Sobig.e virus might be
involved, but the evidence is not strong at the moment.

The DSL and Cable IP ranges get scanned _even_ more than the rest of
the world. Anybody remembers that paper that stated a computer would
get scanned 36 hours after it establishes a connection to the Internet?
Well, I am on ADSL with my home machine, and surprisingly enough I got
hit the second I switched to ADSL and I get ten to fifteen scans a
minute. That said not mentioning being a secondary victims to kiddies
using these IP ranges to spoof attacks (ICMP echo 3).

Richard M. Smith
http://www.ComputerBytesMan.com



      Gadi (i.e. ge),
      ge () linuxbox org.

--------
gevron () netvision net il
PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.


_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus


--------------------------------------------------------------------------

-
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top

analysts!

The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access

in

about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm


--------------------------------------------------------------------------

--



--------------------------------------------------------------------------

Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
--------------------------------------------------------------------------

--
--
James V. Fields


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: New trojan turns home PCs into porno Web site hosts D N Vaidya (Jul 24)