Security Incidents mailing list archives

RE: Probable Trojan.

From: "Jim Butterworth" <res0qh1m () verizon net>
Date: Wed, 29 Oct 2003 10:25:49 -0800

When you do a netstat -an from the command prompt, do you see the UDP
port 1053 there, and does it say established, waiting, or ??  What IP is
listed as the foreign address?  Are you hooked to a broadband router
using NAT?   

"The Thief" Trojan runs on TCP port 1053, and since this is UDP I doubt
there is something there.  To really dig into it, you'd need some
captures from TCPDUMP.  Know how to set up and run that?  If you suspect
something is going on, about the only way to be sure it is not a remote
sort of deal is you need to sniff in/out traffic.  Otherwise, a
keylogger, or some other secret malware on the machine itself would be
suspect.  Has he used various machines, or the same one every time?

  There is an AOL.PWstealer trojan.  Did you run av?

Warmest Regards,
Jim Butterworth, GCIA





-----Original Message-----
From: Gene [mailto:flyersfanindc () yahoo com] 
Sent: Monday, October 27, 2003 11:50 AM
To: incidents () securityfocus com
Subject: Probable Trojan.



Have a buddy complaining about his AOL account password being stolen
every time he logs onto AOL from his PC at work.  I talked him through
doing an fport on his box and he sent me the results:





Pid   Process            Port  Proto Path

8     System         ->  1097  TCP

8     System         ->  139   TCP

8     System         ->  445   TCP

1916  aolwbspd       ->  11523 TCP   C:\Program Files\America Online
9.0\aolwbsp

d.exe

676   OUTLOOK        ->  1125  TCP   C:\Program Files\Microsoft
Office\Office10\

OUTLOOK.EXE

676   OUTLOOK        ->  1129  TCP   C:\Program Files\Microsoft
Office\Office10\

OUTLOOK.EXE

856   MSTask         ->  1051  TCP   C:\WINNT\system32\MSTask.exe

988   svchost        ->  1132  TCP   C:\WINNT\system32\svchost.exe

988   svchost        ->  1134  TCP   C:\WINNT\system32\svchost.exe

988   svchost        ->  1139  TCP   C:\WINNT\system32\svchost.exe

452   svchost        ->  135   TCP   C:\WINNT\system32\svchost.exe

 

8     System         ->  137   UDP

8     System         ->  138   UDP

8     System         ->  445   UDP

1820  waol           ->  1849  UDP   C:\Program Files\America Online
9.0\waol.ex

e

1688  IEXPLORE       ->  1191  UDP   C:\Program Files\Internet
Explorer\IEXPLORE

.EXE

1856  IEXPLORE       ->  1784  UDP   C:\Program Files\Internet
Explorer\IEXPLORE

.EXE

676   OUTLOOK        ->  1126  UDP   C:\Program Files\Microsoft
Office\Office10\

OUTLOOK.EXE

676   OUTLOOK        ->  1127  UDP   C:\Program Files\Microsoft
Office\Office10\

OUTLOOK.EXE

676   OUTLOOK        ->  1182  UDP   C:\Program Files\Microsoft
Office\Office10\

OUTLOOK.EXE

800   rtvscan        ->  2967  UDP   C:\Program Files\NavNT\rtvscan.exe

268   lsass          ->  500   UDP   C:\WINNT\system32\lsass.exe

228   winlogon       ->  1053  UDP   \??\C:\WINNT\system32\winlogon.exe





I'm really concerned with the last one: 



228   winlogon       ->  1053  UDP   \??\C:\WINNT\system32\winlogon.exe





I've found some things on the net that say it's legit, I've found others
that say it's indicative of a backdoor.  I ran fport on my box and did
not have any entries like that.  Does anyone have any information on
this?  Are there other entries that attract anyone else's attention?



Your help is appreciated.

------------------------------------------------------------------------
---
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------

Current thread:

Probable Trojan. Gene (Oct 28)
- Re: Probable Trojan. Brian Eckman (Oct 28)
  - Re: Probable Trojan. Harlan Carvey (Oct 28)
- RE: Probable Trojan. Mark E. Donaldson (Oct 28)
- RE: Probable Trojan. Jim Butterworth (Oct 29)
- <Possible follow-ups>
- RE: Probable Trojan. Thompson, Jimi (Oct 28)
- Re: Probable Trojan. debrasuz (Oct 28)