Security Incidents mailing list archives
unknown trojan (update)
From: jlgaddis () BLUERIVER NET (Jeremy L. Gaddis)
Date: Sun, 11 Jun 2000 02:06:46 -0500
Since first receiving the trojan, I've tracked down the person who sent it to me, and had a few discussions with him on IRC. I'm speaking to him at the moment, actually, and he just told me that he is changing the IRC server that the bots use. I've been logging IRC chats, and I've talked with the administators of the IRC servers, who are *supposed* to start logging his connections. I've noticed he uses two different ISPs in Portugal, both of which I've been told are free ISPs. I doubt I'll really get any assistance from them. It's been my experience that free ISPs aren't too worried about what their users do, not to mention the phone number I got from a whois lookup was wrong anyways. One of the IRC Operators on the network has been hanging around the channel the bots enter and killing them from the server. Apparently, he authenicates himself to the bot, by sending it a private /msg, and then instructs the bot to initiate a DCC chat with him. Once the bot does that, he has full access to it. He has demonstrated to me the ability to delete files from the "zombie" machine, and the ability to retrieve saved passwords from the zombie. I have learned that the IRC server is hard-coded into the executable. He just told me "i have it hardcoded ... so I have to update the trojan ... but in next trojan version I'll implememt registry functionalities and server will be one of those". He also has told me that the password is hard- coded into the trojan. He has a new IRC server he is using, but says he will continue to visit this particular server because "...old bots will still show up here". The trojan is available in a password protected zip file at http://www.blueriver.net/~jlgaddis/trojan.zip, with a password of "trojan", and gzip'd as trojan.exe.gz at the same URL. I would be happy to receive any suggestions, comments, etc., about the proper way of contacting the proper people (administrators, etc.). I think I will also send a copy of the trojan to CERT, with a full explanation of what has happened. In an effort to stay in contact with the trojan's author and get as much info from him as possible, I won't post any identifying information just yet. I do believe in full disclosure, but I am slowly building trust with this person, and he tells me more everytime I talk to him. Full details and IRC logs will be available as soon as possible. -jg -- Jeremy L. Gaddis <jlgaddis () blueriver net>
Current thread:
- unknown trojan (update) Jeremy L. Gaddis (Jun 11)