Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

unknown trojan (update)

From: jlgaddis () BLUERIVER NET (Jeremy L. Gaddis)
Date: Sun, 11 Jun 2000 02:06:46 -0500

Since first receiving the trojan, I've tracked down the
person who sent it to me, and had a few discussions
with him on IRC.  I'm speaking to him at the moment,
actually, and he just told me that he is changing the
IRC server that the bots use.

I've been logging IRC chats, and I've talked with the
administators of the IRC servers, who are *supposed*
to start logging his connections.  I've noticed he uses
two different ISPs in Portugal, both of which I've been
told are free ISPs.  I doubt I'll really get any assistance
from them.  It's been my experience that free ISPs aren't
too worried about what their users do, not to mention the
phone number I got from a whois lookup was wrong
anyways.

One of the IRC Operators on the network has been hanging
around the channel the bots enter and killing them from the
server.  Apparently, he authenicates himself to the bot, by
sending it a private /msg, and then instructs the bot to initiate
a DCC chat with him.  Once the bot does that, he has full
access to it.  He has demonstrated to me the ability to delete
files from the "zombie" machine, and the ability to retrieve
saved passwords from the zombie.

I have learned that the IRC server is hard-coded into the
executable.  He just told me "i have it hardcoded ... so I
have to update the trojan ... but in next trojan version I'll
implememt registry functionalities and server will be one
of those".  He also has told me that the password is hard-
coded into the trojan.  He has a new IRC server he is using,
but says he will continue to visit this particular server
because "...old bots will still show up here".

The trojan is available in a password protected zip file at
http://www.blueriver.net/~jlgaddis/trojan.zip, with a password
of "trojan", and gzip'd as trojan.exe.gz at the same URL.

I would be happy to receive any suggestions, comments,
etc., about the proper way of contacting the proper people
(administrators, etc.).  I think I will also send a copy of the
trojan to CERT, with a full explanation of what has happened.

In an effort to stay in contact with the trojan's author and get
as much info from him as possible, I won't post any identifying
information just yet.  I do believe in full disclosure, but I am
slowly building trust with this person, and he tells me more
everytime I talk to him.  Full details and IRC logs will be available
as soon as possible.

-jg

--
Jeremy L. Gaddis   <jlgaddis () blueriver net>
Previous By Date Next
Previous By Thread Next

Current thread: