Re: irc.trojan.fgt - new variant.

[Jelmer <jkuperus () planet nl>]

Yes but like you said it uses an angelfire page, If you take it down the
virus is stopped
If it gets too succesfull bandwidth limits are exceeded. So it will never
widely spread that way
If someone where to include a webserver in the worm there's no single point
of failure




----- Original Message ----- 
From: "ge" <ge () linuxbox org>
To: <full-disclosure () lists netsys com>
Sent: Friday, November 07, 2003 10:04 PM
Subject: RE: [Full-disclosure] irc.trojan.fgt - new variant.


> > I guess It's a matter of time before someone hacks in a http server
> and makes it send out links like
> > http://victim ip/britney.jpg
> > Luckily microsoft patches stuff within 2 days, balmer said so so it
> must be true ;)
>
> Since the trojan horse really was "britney.jpg", I hope I am not
> responding to a joke. :)
>
> They already did. Without a hack to it.
>
> It started on the 26th of last months.
>
> britney.jpg came out.
>
> To remind us all, that trojan hose used one of the latest IE
> vulnerabilities to overwrite wmplayer.exe with the trojan horse itself.
> After luring the user to a simple .jpeg, that was actually HTML. So that
> IE thought it got a 404 - file not found HTML response.
>
> Two days passed, and while we saw mimic, which used the same basic way
> to fool a user into clicking on a URL for a picture of a model
> celebrity, did not install any files on the PC, it just spammed itself,
> and DDoS'd Microsoft by multiple port 80 connections.
>
> Every-day since, one to three new trojan horses came out. Always the
> same drill: 1. An angelfire website (mainly),
> http://url/pic-big-name.jpg
>
> (I would like to use this opportunity to commend angelfire again on
> their amazingly fast and serious abuse-mail correspondence and good
> work.)
>
> 2. The trojans always spams the same way, using mIRC's DDE server, with
> "URL << wow !!" as the spam, or something very similar.
> 3. The different files are not clones of one another, although some are
> quite close to being clones, with minor changes to the file name, etc.
> 4. the trojans always installs itself by replacing wmplayer.exe. In
> later variations it copies itself to a few more locations.
>
> The basic parameters of these trojan horses are the same:
>
> They spam themselves, making sure others would click on that believable
> URL, without any weird ".bat" or ".pif" etc. after the ".jpg" in the
> file name, and then proceed to _seriously_ cripple, although not
> destroy, the user's machine.
>
> The latest "releases" of these trojans are NOT clones.
>
> I believed that the biggest issue with britney.jpg would be copy-cats,
> and that is what scared me.
> I was wrong.
>
> This mal-ware spreads at incredible speed online, infecting and
> destroying an incredible amount of computers (which is reasonable
> considering the amount of us who would click on a URL for a super-model
> picture........). and then when the URL dies, a new trojan (or two...
> even three) are released with the exact same modus operandi.
>
> The trojans have two objectives: one - multiply, and then destroy.
> Somewhat of a kamikaze suicide bomber. Lately the boundaries between
> "viruses" and other types of... "viruses" like trojan horses and worms
> are thinning beyond recognition. In my opinion in any case.
>
> The sites are usually exceeding their allowed bandwidth use of the day
> long before they are closed, which comes to show of the enormous
> "clicking" people do.
>
> It is my firm belief that all these trojan horses have a common author,
> and that he himself maintains his trojan's infectious state by just
> releasing more "new" trojan horses to the wild. All just as destructive.
>
> This is the most concentrated assault I have ever seen by a mal-ware
> WRITER, vs. just the mal-ware.
>
> Personally, I don't get it, but that's probably just me.
>
> I hope this information helps somebody out there, hopefully the FBI?
> This attack may be over - although we are not sure yet, but I doubt we
> heard the last of this guy.
>
>       Gadi Evron (i.e. ge),
>       ge () linuxbox org.
>
> --------
> gevron () netvision net il -
> PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
> Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.
>
> The Trojan Horses Research mailing list - http://ecompute.org/th-list
>
> My resume (Hebrew) - http://vapid.reprehensible.net/~ge/resume.rtf
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html