Re: unknown trojan (attached) (fwd)

[dbrumley () RTFM STANFORD EDU (David Brumley)]

In any case, it looks like
1. it connects to 208.139.192.34 on port 23911 to register itself.
2. binds to udp port 52901.
3. changes argv to be identd and fork/exec's to change process name
4. functions on the client:
time
stats
reps
size
port
igmp
udp
all
icmp
stream
update
ping
halt-xt
gotrcp

The binary sent was not striped, so functionality should be obvious with
gdb.

my $0.02

cheers,
david

On Sun, 11 Jun 2000, Jeremy L. Gaddis wrote:

> > All right, I'm wondering why you, or others, feel that adding a password
> > to a zipped file is useful. I would have liked to take a quick look at
> > it, but I do not look at that sort of thing on a windows machine
>
> There are several hundred users on this list.  Many of them are subscribed
> at work, where incoming e-mail passes through virus scanners.  Most virus
> scanners are smart enough to decompress zip files and scan their contents.
> If a virus *is* encountered, the message is usually just discarded.  This
> wouldn't do me any good if a virus scanner found out what it was, but just
> discarded it.
>
> > Please, either take the password off the file at your site, or help me
> > to understand why you feel that adding a password is useful. Yes, there
> > are ways around it (for me), but you are asking for help or advice.
> > Adding a password (that you announced to the list, anyway) does not make
> > zip in any of its incarnations more secure. Use pgp for that.
>
> I wasn't trying to "secure" the file, just allow it to pass through virus
> scanners.  The file is also available gzip'd, at:
>
> http://www.blueriver.net/~jlgaddis/trojan.exe.gz.
>
> -jg
>
> --
> Jeremy L. Gaddis   <jlgaddis () blueriver net>

#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."