Re: possible new trojan

["Jay D. Dyson" <jdyson () treachery net>]

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 10 Dec 2000, Peter Harkins wrote:

> Hm, a few hours ago someone sent me what appears to be a trojan. All
> e-mail headers were blank; the original from line was "Received: from
> gandalf (dialup-28186.dialup.ptt.ru [195.34.28.186])".
>
> It was a MIME message with a "GOEJNAGO.EXE", 20340 bytes, md5sum of
> 958aaf80d038e88448f5a9b162d40d5f. A quick strings didn't show anything
> and some web searching revealed nothing as well. As I don't have a
> windows machine I can't do much in the way of analysis. If anyone knows
> what this is or wants a copy, drop me a line.

        Peter was kind enough to send me the binary in question.  I did
some basic analysis and there are some tell-tale signs of this binary
being a trojan.  Foremost signs included:

        1.      The binary appears equipped to send an SMTP attachment,
                as evidenced by its contents:

                MIME-Version: 1.0
                Content-Type: multipart/mixed; boundary="
                Content-Type: text/plain; charset="us-ascii"
                Content-Type: application/octet-stream; name="
                Content-Transfer-Encoding: base64
                Content-Disposition: attachment; filename="

                (Note that the above lines from the extracted binary
                and are not the MIME type data of the email I received.)

                The target payload is unknown, but probably any number of
                default password files that aren't locally encrypted.
                It is also possible that it's snagging one's PGP keyrings,
                but that is pure supposition (though I know *I'd* go for
                that if I was playing The Bad Guy).

        2.      It's not often that strings(1) output really grabs my
                attention, but when I saw the above, the following text
                really caught my eye:

                smtp
                RSET
                354
                250

                The above is a clear indication that the trojan is able to
                make an outbound connection to some SMTP system, and it
                understands valid SMTP command/response codes (e.g., RSET,
                responses to "mail from:", "rcpt to:" and "data").

        3.      It appears that the trojan also uses some form of "web
                bug" to acquire IP addresses of affected machines.  Color
                me shocked.  ;)

        I'm a Solaris goon, so if anyone has a Windows box that's isolated
and they'd like to play with this trojan, you can snag a copy at
http://www.treachery.net/~jdyson/trojans/.

- -Jay

   (                                                             ______
   ))   .-- "There's always time for a good cup of coffee." --.   >===<--.
 C|~~| (>------- Jay D. Dyson --- jdyson () treachery net -------<) |   = |-'
  `--'  `- I'm not surrounded, I just have more targets now. -'  `-----'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: E-mail me for my PGP Public Key.

iQCVAwUBOjWxwdCClfiU/BIVAQEXIwQAjPX6UmHtnwxQ3DrVlW7rPyMfnCZct4vC
trNksUriiZfuwb1Gtro0Qtp6YbRbBCuuI+BTIYshxYBy7+78EEawIPSIFiv8tLmi
Rw+6QZjHLNlL0sWR9nQ391Un1IL3nbE5pOvjsYx4w2ip0vX1J/072foJBTe52wJV
EDAZcpWpE00=
=0jtI
-----END PGP SIGNATURE-----