Security Incidents mailing list archives
Re: possible new trojan
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Mon, 11 Dec 2000 21:03:57 -0800
-----BEGIN PGP SIGNED MESSAGE----- On Sun, 10 Dec 2000, Peter Harkins wrote:
Hm, a few hours ago someone sent me what appears to be a trojan. All e-mail headers were blank; the original from line was "Received: from gandalf (dialup-28186.dialup.ptt.ru [195.34.28.186])". It was a MIME message with a "GOEJNAGO.EXE", 20340 bytes, md5sum of 958aaf80d038e88448f5a9b162d40d5f. A quick strings didn't show anything and some web searching revealed nothing as well. As I don't have a windows machine I can't do much in the way of analysis. If anyone knows what this is or wants a copy, drop me a line.
Peter was kind enough to send me the binary in question. I did some basic analysis and there are some tell-tale signs of this binary being a trojan. Foremost signs included: 1. The binary appears equipped to send an SMTP attachment, as evidenced by its contents: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=" Content-Type: text/plain; charset="us-ascii" Content-Type: application/octet-stream; name=" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=" (Note that the above lines from the extracted binary and are not the MIME type data of the email I received.) The target payload is unknown, but probably any number of default password files that aren't locally encrypted. It is also possible that it's snagging one's PGP keyrings, but that is pure supposition (though I know *I'd* go for that if I was playing The Bad Guy). 2. It's not often that strings(1) output really grabs my attention, but when I saw the above, the following text really caught my eye: smtp RSET 354 250 The above is a clear indication that the trojan is able to make an outbound connection to some SMTP system, and it understands valid SMTP command/response codes (e.g., RSET, responses to "mail from:", "rcpt to:" and "data"). 3. It appears that the trojan also uses some form of "web bug" to acquire IP addresses of affected machines. Color me shocked. ;) I'm a Solaris goon, so if anyone has a Windows box that's isolated and they'd like to play with this trojan, you can snag a copy at http://www.treachery.net/~jdyson/trojans/. - -Jay ( ______ )) .-- "There's always time for a good cup of coffee." --. >===<--. C|~~| (>------- Jay D. Dyson --- jdyson () treachery net -------<) | = |-' `--' `- I'm not surrounded, I just have more targets now. -' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: E-mail me for my PGP Public Key. iQCVAwUBOjWxwdCClfiU/BIVAQEXIwQAjPX6UmHtnwxQ3DrVlW7rPyMfnCZct4vC trNksUriiZfuwb1Gtro0Qtp6YbRbBCuuI+BTIYshxYBy7+78EEawIPSIFiv8tLmi Rw+6QZjHLNlL0sWR9nQ391Un1IL3nbE5pOvjsYx4w2ip0vX1J/072foJBTe52wJV EDAZcpWpE00= =0jtI -----END PGP SIGNATURE-----
Current thread:
- possible new trojan Peter Harkins (Dec 12)
- Re: possible new trojan Jay D. Dyson (Dec 13)
- <Possible follow-ups>
- Re: possible new trojan Peter (Dec 13)