Security Incidents mailing list archives
Re: New trojan? Old trojan with new characteristics? Anyone seenthis?
From: "vex86 () rogers com" <vex86 () rogers com>
Date: 14 Apr 2003 19:57:00 -0400
I'd love to get my hands on a copy of the trojan being used.. Often they are bounced to a redirect, then to a server. This trojan (javauser ident) is indefinitely a spawn of GT or some sort. I've seen Litmus, [sd], and GT take this setup, with the javauser.. Check if the machines connecting are vulnerable to Netbios, they are often vulnerable to netbios because currently its the only way Botnet Farmers are spreading their net.. I've seen different ways, however. If you have any further questions, you may contact me at vex86 () rogers com Best Regards, Richard On Thu, 2003-04-10 at 20:55, Alex Lambert wrote:
Mike, I received word of something similar from one of my opers on February 17th. Ancient, an operator from irc.bigpond.com, notified irc.webchat.org's nohack team about this: <Ancient> just for your info a new trojan / drone is making rounds and it may be hard to sport on CR <Ancient> the ident = javauser <Ancient> full name follows pattern 99999 1 <Ancient> the nicknames resemble first names and seem to be derived from some nick dictionary <Ancient> we run CR and we observed it growing very fast <Ancient> few connections on saturday to 100s today <Ancient> I noticed heaps of them on Undernet but they are too ignorant to care <Ancient> i posted an IRC CERT notice but it seems delayed <Ancient> how many lines can I post here before getting done for flooding? <Ancient> as I'm about to send a fragment of perl code that can detect this bot, if you know how to code using net::irc <Ancient> # exploit pattern ident:javauser real:99999 9 <Ancient> my (@realwords) = split(" ",$real); <Ancient> if ($ident =~ /^javauser$/) { <Ancient> if ($nickname !~ /^guest[[:digit:]]{5}$/i) { <Ancient> if ($realwords[1] =~ /^[[:digit:]]{4,5}$/) { <Ancient> if ($realwords[2] =~ /^[[:digit:]]{1}$/) { <Ancient> &akill($self, $nickname, $host,"Exploit\:javauser"); <Ancient> } } } } <Ancient> richard, if you got my previous info re:javauser trojan, there is one more fact about it - it never seems to be using port 7000 You might want to consider subscribing to irc-cert at http://cert-irc.cyberabuse.org/ Cheers, Alex Lambert irc.liveharmony.org alambert () quickfire org Mike Parkin wrote:Not often I post to the list. Lately the IRC network I help run (away from work) has seen a large number of host connections with a pattern similar to numerous other trojan/malware infections that have an IRC element. Namely: Similar nicks, user@, and real name fields. In this case the nicks are all one of several similar patterns (repeats lead us to believe it may be chosen from a list), the User@ is always javauser@ (I haven't actually seen a legitimate java client with this ident, though there may well be one.) and the Real Name field is always a pattern of "nnnnn 1" where nnnnn is a five digit random number.---------------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-incidents2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ----------------------------------------------------------------------------
---------------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-incidents2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ----------------------------------------------------------------------------
Current thread:
- New trojan? Old trojan with new characteristics? Anyone seen this? Mike Parkin (Apr 10)
- Re: New trojan? Old trojan with new characteristics? Anyone seenthis? Alex Lambert (Apr 14)
- Re: New trojan? Old trojan with new characteristics? Anyone seenthis? vex86 () rogers com (Apr 15)
- Re: New trojan? Old trojan with new characteristics? Anyone seenthis? Mike Parkin (Apr 17)
- Re: New trojan? Old trojan with new characteristics? Anyone seenthis? vex86 () rogers com (Apr 15)
- Re: New trojan? Old trojan with new characteristics? Anyone seenthis? Alex Lambert (Apr 14)