RE: Strange, scary, subtle trojan

["Dowling, Gabrielle" <dowlingg () sullcrom com>]

This still sounds like Klez.  Klez frops wink(random characters) in system
folder and creates either a run or services entry for it in the registry.
Klez also carries its own smtp engine

Regards

Gaby

 -----Original Message-----
From:   Jeff Kell
Sent:   Sun Apr 20 01:00:11 2003
To:     Incidents; Resnet Forum
Subject:        Strange, scary, subtle trojan

In the process of scanning PIX logs for possible open proxies on campus 
(after one hacked WinGate discovery some weeks ago) I ran across several 
hosts that were sending mail to "several" different sites, apparently 
direct-to-MX, bypassing our site mail servers.  They weren't sending "a 
lot" of mail (relatively speaking), but enough of it and directed at too 
many destinations to be using an outside account for regular mail.

Summarizing by source, then destination, and sorting by source volume 
started turning up the same outside combinations for different source 
addresses.  Especially strange was an almost "signature" destination 
address of 25.0.0.0:25.  The common elements to almost every case were, 
for example (source:destination):

> 10.4.8.145:194.133.125.101 9 items 0 bytes av2.ornis.com
> 10.4.8.145:194.179.41.3 2 items 566 bytes recibir.arquired.es
> 10.4.8.145:206.46.170.11 9 items 280091 bytes smtp.gte.net
> 10.4.8.145:206.46.170.7 4 items 155455 bytes smtp.gte.net
> 10.4.8.145:25.0.0.0 38 items 0 bytes



A lucky Google search on the domains turned up a news article:

http://groups.google.com/groups?q=ornis.com+arquired.es+25.0.0.0

The thread eventually wrote it off to Klez, but it wasn't really.  It 
did however reveal a trojan executable WINKER.EXE.  Searching around for 
this I found two hits at Symantec:

Backdor.SilentSpy: 
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.silentspy.h
tml

or
Backdoor.Mirab:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.mirab.html

These are apparent matches, but mention a backdoor port left open, and I 
could not find the ports open on the machines I scanned (have not yet 
had the opportunity for hands-on forensics).

The scary part is that this is a keylogger, and can periodically e-mail 
the logs to various addresses.  And using the '25.0.0.0:25' signature, I 
have found traces in my oldest online logs (Nov 2002).

At any rate, I would be interested in any further information anyone 
might have on this particular beast.  And some of you might want to add 
an alert to any SMTP traffic destined to 25.0.0.0

Jeff


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------


**********************************************************************
This e-mail was sent by a law firm and contains information
that may be privileged and confidential. If you are not the
intended recipient, please delete the e-mail and notify us 
immediately.
**********************************************************************


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------