lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200309251506.49003.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: Analysis of a Spam Trojan

On Thu, 25 Sep 2003 12:04:14 -0500, Brian Eckman wrote:
> It is unknown how the audio.exe file got onto the computer hard drive 
> in the first place.

It is almost guaranteed to have been via the MS03-032 IE object tag 
vulnerability. The trojan you found is a variant of the Autoproxy 
trojan, which has been known to use that infection vector on a large 
scale. Some AV companies detect it as Coreflood because it shares a lot 
of the same code, likely because it is by the same author. You are 
correct in your analysis that it is not a DDoS bot, but instead is a 
spam tool. Here is an analysis I did on a recent variant that uses a 
different master server and contacts cnet.com instead of microsoft.com:

http://www.lurhq.com/autoproxy.html

Here is another Snort signature you can use to detect when an infected 
user attempts to contact its controlling server:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan 
control connection"; content: "|0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 
20 41 75 74 6f 70 72 6f 78 79 2f|"; classtype:trojan-activity; 
sid:1000028;  rev:1;)

It is interesting to note the connection between the DDoS trojan and the 
spam-proxy trojan here, in light of the recent DDoS attacks on spam 
blackhole lists.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ