RE: Strange, scary, subtle trojan

From: Dowling, Gabrielle <dowlingg(at)sullcrom.com>
Date: Sun Apr 20 2003 - 14:35:35 EDT

This still sounds like Klez. Klez frops wink(random characters) in system folder and creates either a run or services entry for it in the registry. Klez also carries its own smtp engine

Regards

Gaby

 -----Original Message-----

From: 	Jeff Kell
Sent:	Sun Apr 20 01:00:11 2003
To:	Incidents; Resnet Forum
Subject:	Strange, scary, subtle trojan

In the process of scanning PIX logs for possible open proxies on campus (after one hacked WinGate discovery some weeks ago) I ran across several hosts that were sending mail to "several" different sites, apparently direct-to-MX, bypassing our site mail servers. They weren't sending "a lot" of mail (relatively speaking), but enough of it and directed at too many destinations to be using an outside account for regular mail.

Summarizing by source, then destination, and sorting by source volume started turning up the same outside combinations for different source addresses. Especially strange was an almost "signature" destination address of 25.0.0.0:25. The common elements to almost every case were, for example (source:destination):

> 10.4.8.145:194.133.125.101 9 items 0 bytes av2.ornis.com
> 10.4.8.145:194.179.41.3 2 items 566 bytes recibir.arquired.es
> 10.4.8.145:206.46.170.11 9 items 280091 bytes smtp.gte.net
> 10.4.8.145:206.46.170.7 4 items 155455 bytes smtp.gte.net
> 10.4.8.145:25.0.0.0 38 items 0 bytes

A lucky Google search on the domains turned up a news article:

http://groups.google.com/groups?q=ornis.com+arquired.es+25.0.0.0

The thread eventually wrote it off to Klez, but it wasn't really. It did however reveal a trojan executable WINKER.EXE. Searching around for this I found two hits at Symantec:

Backdor.SilentSpy:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.silentspy.h tml

or
Backdoor.Mirab:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.mirab.html

These are apparent matches, but mention a backdoor port left open, and I could not find the ports open on the machines I scanned (have not yet had the opportunity for hands-on forensics).

The scary part is that this is a keylogger, and can periodically e-mail the logs to various addresses. And using the '25.0.0.0:25' signature, I have found traces in my oldest online logs (Nov 2002).

At any rate, I would be interested in any further information anyone might have on this particular beast. And some of you might want to add an alert to any SMTP traffic destined to 25.0.0.0

Jeff

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents

---

---

This e-mail was sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately.

---

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents

---

Received on Mon Apr 21 13:55:08 2003