Bugtraq mailing list archives

Fwd: [ISN] Another BO detector that is actually a trojan

From: Reuben.Yau () INTERNAL DIRCON NET (Reuben Yau)
Date: Thu, 3 Sep 1998 13:00:11 +0100


Not sure if this has already been posted here.

cheers

Reuben

X-Authentication-Warning: obscure.sekurity.org: majordomo set sender to

owner-isn () sekurity org using -f

Date: Wed, 2 Sep 1998 05:54:21 -0600 (MDT)
From: mea culpa <jericho () dimensional com>
To: InfoSec News <isn () sekurity org>
Subject: [ISN] Another BO detector that is actually a trojan
X-NoSpam: Pursuant to US Code; Title 47; Chapter 5; Subchapter II; 227
X-NoSpam: any and all nonsolicited commercial E-mail sent to this

address

X-NoSpam: is subject to a download and archival fee in the amount of

$500 US.

X-NoSpam: E-mailing to this address denotes acceptance of these terms.
X-Noarchive: YES
X-Copyright: This e-mail copyright 1998 by jericho () dimensional com
Sender: owner-isn () sekurity org
Reply-To: mea culpa <jericho () dimensional com>
x-unsubscribe: echo "unsubscribe isn" | mail majordomo () sekurity org
x-infosecnews: x-loop, procmail, etc


Forwarded From: Ken Williams <jkwilli2 () UNITY NCSU EDU>

-----BEGIN PGP SIGNED MESSAGE-----


Hi,

    I recently came across a program called "BoSniffer.zip" that the
author claims will "block key points in the registry from BO as well as
search for existing installs of the backdoor."

    Close examination has revealed that this is actually a BO server
with the "SpeakEasy" plugin installed.  If you run "BoSniffer.exe", the
BoSniffer executable (read: BO Server Trojan w/ SpeakEasy) will

"attempt

to log into a predetermined IRC server on channel #BO_OWNED with a

random

username.  It then proceeds to announce its IP address and a custom
message every few minutes."

    This program, "BoSniffer.zip" is currently being widely

distributed

as a "cure for Back Orifice infections".  It is probably being

distributed

with other software packages and with other names too.  Listed below

are

relevant details about this program.


File Sizes (in bytes)
---------------------
231068 BoSniffer.exe
108573 BoSniffer.zip

MD5 fingerprints and strings (checksums)
----------------------------------------
MD5 (BoSniffer.zip) = 2d75c4ac54b675778ff22f76f9a6a77f
MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21

MD5 (BoSniffer.exe) = 63748087b2e1598fcf34498b0295212e
MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21


Evidence that BoSniffer.zip is really BO Server with SpeakEasy Plugin
---------------------------------------------------------------------
sector 0x028C38
irc.lightning.net:7000:Hey MASTER where are u!!!

sector 0x0303F0 - sector 0x0306D8
BO ButtPlugs and goodies...http://www.netninja.com/bo.html
AJ Reznor: The pierced, tattooed grand master god of flame wars!
Who is John Galt?
Yes, you too can own my box with this special introductory offer of

$0.00!

I'm sad to see Kontrol Faktory go away.
Use Linux!
This box is now property of the Illuminati.
<<tap>> <<tap>> <<tap>>...Is this thing on?
Where do *YOU* want to go today?!

sector 0x031848
SpeakEasy.dll

sector 0x0318A8 - sector 0x031980
#BO_OWNED with IRC commands:
Own Me @ .NOTICE .JOIN #BO_OWNED host server :Owned USERNICK BO
.QUIT Psssst...Speakeasy was told to shut down
.NOTICE #BO_OWNED :Psssst...Speakeasy just started up



You get the idea by now, hopefully.

Instructions on removing BO Servers from compromised servers can be
found at:  http://www.iss.net/xforce/alerts/advise5.html
or by searching through the NTBUGTRAQ archives at:
http://ntbugtraq.ntadvice.com/archives/

If anyone wants a copy of BoSniffer.zip for further examination, send
email to Packet Storm Security at PacketStorm () Genocide2600 com
Please note that we will disregard any non-corporate or suspicious
requests.

Regards,

Ken Williams

Packet Storm Security

http://www.Genocide2600.com/~tattooman/index.shtml

E.H.A.P. Corporation  http://www.ehap.org/  ehap () ehap org info () ehap org
NCSU Comp Sci Dept    http://www.csc.ncsu.edu/

jkwilli2 () adm csc ncsu edu

PGP DSS/DH/RSA Keys

http://www.genocide2600.com/cgi-bin/finger?tattooman


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQEVAwUBNerX1ZDw1ZsNz1IXAQF5UQf/VygM5JDLYU7TiDQn6Isa3sC9glgrGumU
snhykpFm3b4lYYnoZY+PQUabptp8KWfvB4Hf/4vc3sDJca62Zzh1QRgAzOnWbcPl
fA7+eQNn+bVn6k91TIaEfllhA4CMB/U8L21pPBIuL4KYOmPyB/qXprRyqrg06AQ7
KsdZ5krEYxrSVHJa1TcFws1OCoQeK7sX9C3x/Ys9v42k3nGthVJw3UAXTCisf3av
glUe0jvDsMGtT9pFnq9Mg/iHeMA+uHMOGjkdU9/PDDunJ9DBht49ZLLAxdfy6nYH
5PuQMH268XsCDbT/aFxYem8iYe8oPDgGDFFQSQ4j8bLjQR+RpPr5Aw==
=c3QA
-----END PGP SIGNATURE-----

-o-
Subscribe: mail majordomo () sekurity org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

Current thread:

Re: Security Hole in Axent ESM, (continued)
- - Re: Security Hole in Axent ESM Taral (Sep 02)
    - Re: Security Hole in Axent ESM Patrick (Sep 02)
  - Borderware predictable initial TCP racer-x () ALTAVISTA NET (Sep 02)
    - Re: Borderware predictable initial TCP Aggelos P. Varvitsiotis (Sep 03)
    - Web servers / possible DOS Attack / mime header flooding Laurent FACQ (Sep 03)
    - Re: Web servers / possible DOS Attack / mime header flooding Vanja Hrustic (Sep 03)
    - wwwboard.pl vulnerability bugtraq (Sep 03)
    - Re: Web servers / possible DOS Attack / mime header flooding Rich Wood (Sep 03)
    - Re: Web servers / possible DOS Attack / mime header flooding Daniel Leeds (Sep 03)
    - Re: Web servers / possible DOS Attack / mime header flooding Lars Eilebrecht (Sep 03)
    - Fwd: [ISN] Another BO detector that is actually a trojan Reuben Yau (Sep 03)
    - Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Sep 03)
    - Back Orifice detection and removal The Late Ian Angles (Sep 03)
  - Cisco Security Notice: PIX Firewall Manager File Exposure psirt () CISCO COM (Sep 02)
- Re: Security Hole in Axent ESM Jim Dennis (Sep 03)
- Re: Security Hole in Axent ESM dcupp () SNAKEBITE COM (Sep 24)