lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <406703EE.8030607@egotistical.reprehensible.net> From: ge at egotistical.reprehensible.net (Gadi Evron) Subject: backdoor irc -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | But I am having a few problems actually finding out anything else about the | files. has anyone any insight into how they work , what they do, how does a | person connect to a system via them. how far could a person get into the | system through these files, symantec seem quite clear that a hacker would | have unlimited access, but nowhere else can i find anything about this. Allow me to paste below an email message I sent to bugtraq on a related subject the other day. It may clear a few things up. Basically, I do not have specific information about the specific samples you mention, having not looked at them. But one can always install another backdoor one one is in the system, so assume the worst. Quoted text: - ------------ | I think it's a new worm spreading on undernet. The worm PRIVMSG user | with an ip address and port like this (ip and port never change) : | [07:53] <C96347981> http://69.157.174.169:2233/ Although it might appear that way, this is not a worm. [See below as to what *is* downloaded from that page, as it *IS* a form of a Trojan horse (dropper).] That is what we call spam bots. Drones which are part of smaller or bigger drone armies work that way. Some infect a user by using another Trojan horse already installed on their system, or by some vulnerability. Both by port scanning. Then there are the kind which infects users through web pages, either by false pretense (social engineering) or by using some IE vulnerability to remotely install the Trojan horse. There are as many ways as there are Trojan horses, but they are not too innovative. Some spam themselves using, much like in this example, IRC. These drones you describe, as far as we can tell send a message (/MSG) to non +i (invisible) users on an IRC network, spamming them with that URL. They harvest the nicknames they spam by using the /WHO command. On that URL you will most likely find either a Trojan horse which will infect a user's system, or some other spam goal. Drone armies are mostly used for two major goals these days: 1. DDoS attacks (kiddie/groups fights, blackmail, whatever). 2. Bouncing off their IP addresses, much like with proxies. In any case - power. Then there are the rest of the uses you can make of a pwned machine, times hundreds of thousands. | Each user wich sent me this address seems to had the (almost) same pattern | for nick and fullname: 1 letter followed by number. Some fullname are | followed by 11 numbers, others by 12 numbers. None of them was on any | channels at all. These are not aware users. These are drones. I.e. zombies or bots. People make little of Trojan horses. Many AV products do not see it as important or bother with them unless they fall into their hands by chance, as they are "just Trojans". If they do bother with them, some of them might only add simple CRC signatures for detection. CRC signatures are useless as _many_ Trojan horses (which I wouldn't really like to call polymorphic) would use a well-known trick of dumping some pseudo-random bull at the EOF, for example. Effectively rending the hash or checksum useless. Then there is the issue of some AV companies considering Trojan horses to be "garbage" which isn't really what an AV product should detect. Such drone armies number from a few dozens to tens and hundreds of thousands of drones. There are those (you mentioned the Undernet IRC network - prysm, who I mention below, is one of the major "fighters" there) who fight these drone armies. Finding every new echo channel (=where the drones announce themselves to the controllers/runners) and attempting to kill them. New drones always show up, and in many occasions - from the same IP's as the infected users were never aware of the situation to install or update their AV product of choice - if that product even detects the said Trojan horse which was used to "0wn" them. New IP's are always there to join them, regardless. As I have mentioned before a few years ago there was a paper which showed how a machine, which wasn't advertised, would get port-scanned within 36 hours of it showing up online. Those of us on broadband (mostly DSL/Cable IP ranges) know how that is long not true, as we get port scanned for open Trojan ports and proxies (not to mention vulnerable machines) up to 16 times a minute. That fact would help explain the existence of such huge drone armies. | C14130657 is Guest18231@...onto-HSE-ppp3970074.sympatico.ca * E63731312752 | S66185921 is ~M93079924@...01044550pcs.villgs01.fl.comcast.net * | O12647092342 | C96347981 is ~O98407918@...t217-44-126-36.range217-44.btcentralplus.com * | Y710488319397 | M84234958 is Guest92377@...leans-103-1-33-71.w81-250.abo.wanadoo.fr * | O58235883713 | Z29553055 is Guest58875@...102-194.nwconx.net * E815603852272 | O23413228 is Guest32361@...249161030.customer.alfanett.no * F729082226753 | I65330976 is ~E89040321@...l-216-103-54-205.dsl.lsan03.pacbell.net * | C527516603470 You can see, as you noted yourself, the consistency of the nicknames and hosts. I am not familiar with these particular drones, as although in my teen years I started this crazy occupation of hunting drone armies I am not longer really involved with it now. Prysm however is the one who gives her life and soul to these online issues and who now leads the fight, among others. I'll ask her if she recognizes the drones, but we already know what installs them as I specify below. | The isp (sympatico.ca) has been notified on march 27 at 10:00 am and this | computer is still up. Good luck getting them to help you. It is quite possible that despite what I wrote above (which is a regular modus operandi we see daily) that IP address serves no purpose but to notify the controllers of the pwned machine so that they can harvest IP addresses and check back in later. I didn't look into it, but it could be either. [I did not change the above paragraph as I believe I raise an interesting point, but discussing the URL in question with Daniel Otis Vigil (author of "The Cleaner" - www.moosoft.com - see below for other products such as "The Cleaner" - it appears that the CHM on the URL you mention is known as the vbs.psyme downloader which downloads the Apher downloader.. which in turn downloads IRC.Fylex (mIRC Scripts)] Now you might ask - mIRC script? So these *ARE* users after all? It is quite possible these are pwned users after all (which in my opinion are not that different from your regular drone), although some Trojan horses nowadays actually run mIRC in an hidden window, so that the user is completely un-aware of being on IRC. Last week the media started making noise about a Trojan horse called Phatbot. which according to them infected 300K users. You can find more information on lurhq, by Joe Stewart: http://www.lurhq.com/phatbot.html. Truth is, Phatbot (at that time Phatbot.A) is just yet another Agobot. Latest Agobot I saw was Agobot.IU which came out 2 days ago. I am pretty sure I missed a couple since then as these come out daily. Agobots in turn are very similar/evolved from/are the same as/ hundreds of SDbots - an open source Trojan horse. Only half of the SDbots which I have tested in the past months are detected by most AV products. Although these Trojans "spread" and are infecting hundreds of thousands they are not worms. Their spread is slower, and although it appears like they are motivated in recent years by much the same as worms - criminal activity and spammers, rather than just bored kids and coders like in the past - they are not mass mailers and are usually introduced to a system by a kiddie (whether by an automated scan && infect process or manually) him or herself, rather than by a mass-spreading automatic mechanism of a worm. Definitions vary, but Phatbot was nothing new when the media started making noise about it. I do not know if the numbers associated with it are correct but there ARE drone armies. Companies ARE being blackmailed. As Paul Schmehl said.. real life "protection" by gangs would at least protect you from other gangs. On the net there is no guarantee that you won't still be attacked, whether by the same "gang" of kiddies or by yet some other "gang" looking to make some cash. The maximum any group of kiddies can do is launch an online war, if they will even bother, at whatever other group they want (if the attacking group is even identified), causing nothing more than bandwidth consumption. Than again kiddies never need too much of a reason to DDoS. To make this long email short - drone armies are real. They are mostly being ignored except by a few individuals, like prysm, who fight to destroy them on the IRC chat networks, to some success, against truly over-whelming odds against. There is no real reason to start people going about any new "worm" here. These are just your average every-day Trojan horses who spam. I am sorry if this email message sounded like a rant, but the facts should be known to pretty much everybody who looks for them, by now. One final issue might be, how should users defend themselves against Trojan horses when a large majority of them are _not_ detected by AV products? There are two main options: 1. Personal Firewalls. If they can't connect to you to infect you, or the Trojan horse installed on your system can't dial-home or be controlled remotely - you are safer than you would be without such a program. 2. The less known factor of Anti Trojan companies. Anti Trojan (AT) companies are small, and rather successful. They manage to stay in business after quite a few years because they stay on top of these threats and eliminate them where AV products fail, or simply do not care. Some of these products are "The Cleaner", "BOclean" and "Trojan Remover". Many of these products are updated as often as AV's are, and they keep in touch with IRC people such as prysm in order to deal with threats such as you described above, wrongly, as a new worm. I hope this helped you. I am sorry if the above sounded like a rant, but it was my goal to explain the situation of what you encountered by chance, as in-depth as possible. We barely scratched the surface. Gadi Evron. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAZwPSqH6NtwbH1FARAqCfAJ0Xyh32LMSwQmWj2aNGHWuOulN1XwCePocq QaH9ZUO8CmgHt+WMTRdlMbM= =BLfN -----END PGP SIGNATURE-----
Powered by blists - more mailing lists