Re: New trojan? Old trojan with new characteristics? Anyone seenthis?

[Mike Parkin <mparkin () cisco com>]

Thanks to everyone who responded to this.  With the information I
received and snort logs from the IRC server itself, we've been able to
more or less positively identify these things as DTHN (Dynamic Trojan
Horse Netowrk) Zombies.

None of us, unfortunately, have the time required to try and track down
who owns them or what passwords they're using on this particular DTHN
net.  As we've done in the past, we'll start sending a canned email to
the ISP's these boxen are connecting from in the hopes that they'll tell
their users and help them get cleaned up.

Thanks again for the inputs.

Mike


On Mon, 2003-04-14 at 19:57, vex86 () rogers com wrote:
> I'd love to get my hands on a copy of the trojan being used.. Often they
> are bounced to a redirect, then to a server. This trojan (javauser
> ident) is indefinitely a spawn of GT or some sort. I've seen Litmus,
> [sd], and GT take this setup, with the javauser.. Check if the machines
> connecting are vulnerable to Netbios, they are often vulnerable to
> netbios because currently its the only way Botnet Farmers are spreading
> their net.. I've seen different ways, however.
>
> If you have any further questions, you may contact me at
> vex86 () rogers com
>
> Best Regards,
>
> Richard 
>
>
> On Thu, 2003-04-10 at 20:55, Alex Lambert wrote:
> > Mike,
> >
> > I received word of something similar from one of my opers on February 17th.
> > Ancient, an operator from irc.bigpond.com, notified irc.webchat.org's nohack
> > team about this:
> >
> > <Ancient> just for your info a new trojan / drone is making rounds and it
> > may be hard to sport on CR
> > <Ancient> the ident = javauser
> > <Ancient> full name follows pattern 99999 1
> > <Ancient> the nicknames resemble first names and seem to be derived from
> > some nick dictionary
> > <Ancient> we run CR and we observed it growing very fast
> > <Ancient> few connections on saturday to 100s today
> > <Ancient> I noticed heaps of them on Undernet but they are too ignorant to
> > care
> > <Ancient> i posted an IRC CERT notice but it seems delayed
> > <Ancient> how many lines can I post here before getting done for flooding?
> > <Ancient> as I'm about to send a fragment of perl code that can detect this
> > bot, if you know how to code using net::irc
> > <Ancient> # exploit pattern ident:javauser real:99999 9
> > <Ancient> my (@realwords) = split(" ",$real);
> > <Ancient> if ($ident =~ /^javauser$/) {
> > <Ancient> if ($nickname !~ /^guest[[:digit:]]{5}$/i) {
> > <Ancient> if ($realwords[1] =~ /^[[:digit:]]{4,5}$/) {
> > <Ancient> if ($realwords[2] =~ /^[[:digit:]]{1}$/) {
> > <Ancient> &akill($self, $nickname, $host,"Exploit\:javauser");
> > <Ancient> } } } }
> > <Ancient> richard, if you got my previous info re:javauser trojan, there is
> > one more fact about it - it never seems to be using port 7000
> >
> > You might want to consider subscribing to irc-cert at
> > http://cert-irc.cyberabuse.org/
> >
> >
> >
> > Cheers,
> >
> > Alex Lambert
> > irc.liveharmony.org
> > alambert () quickfire org
> >
> > Mike Parkin wrote:
> > > Not often I post to the list.
> > >
> > > Lately the IRC network I help run (away from work) has seen a large
> > > number of host connections with a pattern similar to numerous other
> > > trojan/malware infections that have an IRC element.  Namely: Similar
> > > nicks, user@, and real name fields.  In this case the nicks are all
> > > one
> > > of several similar patterns (repeats lead us to believe it may be
> > > chosen from a list), the User@ is always javauser@ (I haven't
> > > actually seen a legitimate java client with this ident, though there
> > > may well be one.)
> > > and the Real Name field is always a pattern of "nnnnn 1" where nnnnn
> > > is
> > > a five digit random number.
> >
> >
> >
> > ----------------------------------------------------------------------------
> > Is SPAM over-loading your e-mail server, disk space or bandwidth?
> > SurfControl E-Mail Filter is flexible, intelligent and policy-driven
> > protection.
> > http://www.securityfocus.com/SurfControl-incidents2
> > Download your free fully functional
> > trial, complete with 30-days of free technical support.
> > Stop SPAM before it stops you.
> > ----------------------------------------------------------------------------
>
>
> ----------------------------------------------------------------------------
> Is SPAM over-loading your e-mail server, disk space or bandwidth?
> SurfControl E-Mail Filter is flexible, intelligent and policy-driven
> protection.
> http://www.securityfocus.com/SurfControl-incidents2
> Download your free fully functional
> trial, complete with 30-days of free technical support.
> Stop SPAM before it stops you.
> ----------------------------------------------------------------------------


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------