Re: Possible new trojan?

[H C <keydet89 () yahoo com>]

Mike,

I'd like to give you a couple of things to consider:

1.  Did  you perform a packet capture on the network?
2.  Did you dump the process list from the machine
during this activity?
3.  What is the os of the target system (this would
help myself and others recommend tools)? 
4.  Did you check the contents of the Run,
RunServices, RunOnce Registry keys (if the target
system is a MS platform)?  How about startup
directories for the currently logged on user?  Or, if
the system is Win98, the system.ini and win.ini files?

> During a client security investigation, we
> encountered suspicious 
> traffic from a client-machine, to which we can not
> identify the source, 
> if this is a Trojan, or some sort of worm.

Again, what is the process list from the machine?  For
tools to use on NT/2K platforms, check out:

http://www.securityfocus.com/focus/microsoft/2k/forensictools.html


> The client machine had for three days been sending
> excessive requests 
> to port 80, to two different IP-addresses. Both
> targets are 'high-
> profile', well known international companies. Each
> target has received 
> over 100 000 connection attempts per day (24 hours).
>
> We can't see if the requests were valid HTTP
> requests, or if the client 
> just connected to port 80, and then dropped the
> connection 

Did you use a sniffer on the same segment?  Tcpdump
from Linux, Windump for Win32, snort for both?

> An interesting thing is that the source port in each
> request, would 
> start at 1025, increase by one to 5000, and then
> start over with source 
> port 1025.

That should be fairly normal activity, actually.  I'm
not sure about rolling over specifically at 5000, but
starting at a high port (ie, above 1024) is normal.
 
> The client machine does have an irc client
> installed, and this is 
> somewhat alarming.

How so?  It might have served as the infection vector,
but I don't necessarily see how the presence of just
an irc client is "alarming".

> However, the Trend Micro
> anti-virus software does 
> not detect the virus, with the leates available
> patternfile (per 2001-
> 09-10).

Maybe it's not a trojan at all.

With more info, I could help you more specifically. 
Please feel free to contact me at
"keydet89 () yahoo com".  I also teach a 2-day Incident
Response Course for NT/2K admins.

Carv


__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com