Security Incidents mailing list archives

RE: Trojan? DDOS Bot?

From: "Brooke, O'neil (EXP)" <o'neil.brooke () lmco com>
Date: Tue, 27 Aug 2002 15:02:42 -0400

Hi Janus

        This is expected trojan behavior. Take a look in your registry for
the run keys, and either system.ini or win.ini has a load and a run setting
as well that has been exploited by trojans.  A complete(?) list of
initialization locations can be found at www.tlsecurity.com You want to
determine what the initializtion vector is, disable it, reboot and then
delete the trojan files. 

        This may not end it though. Windows based trojans have two
operational components for the server. There is the 'infector' executable
which is any standard program with a hidden trojan payload. When the
infector is executed registry keys or ini files are modified so that the
server starts every time the computer does, it then extracts the trojan
server code and saves it to a discrete file on your system. The 'server'
component is a small executable (most are well under 100K) that can hide
just about anywhere on the system, given that there are so many different
trojans. The 'server' component is what initiates the connection to the IRC
server and allows for remote control of your workstation.

        A third type of program which I'll call an executable bundling
program will take the trojan server and stuff it into an existing
application. (i.e. creation of the 'infector' executable) If explorer.exe is
infected in this way, when you delete the registry keys and reboot, the
registry keys will be recreated and trojan re-installed since explorer is
executed by windows on bootup. 

        Trojans started connecting to IRC in this manner (AFAIK) so that the
people behind the various trojan strains could disseminate their code
(warez, uploads to ftp servers, exploited corporate cd mastering stations,
etc) and collect the compromised hosts in one central location. It also
offered some form of anonymity once commands to the trojan could be routed
through the IRC server, since the attacker never establishes a connection
directly with the infected host. 

O'Neil.

-----Original Message-----
From: Janus () etoast com [mailto:Janus () etoast com]
Sent: August 27, 2002 4:23 AM
To: incidents () securityfocus com
Subject: Trojan? DDOS Bot?




I recogniced some weird connections from my box (w98)
to other computers. As soon as i connect to the
internet a connection from local port 1026 to port 6667
on 65.185.135.125 was established. I connected to that
server and it is an irc server (MusIRC Internet Relay
Chat Network). I found a bot using my adress with a
random name made up of letters. The server
administrator told me that he has recognized these bots
coming from many different hosts for quite ome time
now. They all try to join a channel named #nutz on that
server. He has seen people giving commands to those
bots so he closed down the channel. They give a msg
after kicked "Fuck you <name of the person that has
kicked them>. To version request they reply with
something like that too. I checked for open ports on my
box and found 113 open. A few days ago i deleted a
net-devil v.1.4 from my system. Not sure if that has
anything to do with that. After installing a freeware
firewall to see what it will do if i blocked its
outgoing port and deleting it afterwards it just
changed the outgoing port. As i am typing this a
netstat -an reveals

TCP    0.0.0.0:1301           0.0.0.0:0             
LISTENING
  TCP    0.0.0.0:1705           0.0.0.0:0             
LISTENING
  TCP    127.0.0.1:1027         0.0.0.0:0             
LISTENING
  TCP    127.0.0.1:1704         0.0.0.0:0             
LISTENING
  TCP    127.0.0.1:1704         127.0.0.1:1705        
ESTABLISHED
  TCP    127.0.0.1:1705         127.0.0.1:1704        
ESTABLISHED
  TCP    217.84.185.171:1301    65.185.135.125:6667   
ESTABLISHED
  UDP    127.0.0.1:1027         *:*                    


I couldnt find a freeware tool to find out which
process is using this specific irc connection, nor did
a scan with f-prot or housecall or panda reveal any
viral or trojan activity.

Any help or info would be really appreciated. Thanks in
advance

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Trojan? DDOS Bot? Janus (Aug 27)
- Re: Trojan? DDOS Bot? Mike Parkin (Aug 27)
- Re: Trojan? DDOS Bot? Christopher Cramer (Aug 27)
- Re: Trojan? DDOS Bot? Erik Sperling Johansen (Aug 27)
- Re: Trojan? DDOS Bot? Dragos Ruiu (Aug 27)
- Re: Trojan? DDOS Bot? Michael J McCafferty (Aug 27)
- <Possible follow-ups>
- Re: Trojan? DDOS Bot? Richman, Samuel <NHTSA> (Aug 27)
- RE: Trojan? DDOS Bot? Brooke, O'neil (EXP) (Aug 27)
- Re: Trojan? DDOS Bot? Will Tell (Aug 27)
- RE: Trojan? DDOS Bot? YAO,TONY (HP-NewZealand,ex1) (Aug 28)
- RE: Trojan? DDOS Bot? David LeBlanc (Aug 30)