Telecom and Logistics Associates 

Security NEWs Service: TLAnews
publication: Christian ALT  new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  Save Time and Money 

 10.6.2000 Security: They were  ready to attack
 Prompted by an attack on one of their own computers, Network Security Technologies investigators unraveled a possible future attack on major Web sites and some 2,000 compromised computers, mostly belonging to home users.

En français: Ils étaient prêt pour attaquer
 Rendu attentif par une attaque sur un de leurs ordinateurs, les enquêteurs de Network Security Technologies dévoilent une attaque possible sur des sites web majeures et plus de 2000 ordinateurs compromis, appartenant principalement à des particuliers.

 
English version
NETSEC,  is warning computer users that a “polymorphic” Trojan is causing widespread compromise of computer systems around the world. NETSEC has caught a group of hackers in the act of compromising thousands of computers that are connected to the Internet by full time DSL connections, Cable Modems, and corporate networks.
Résumé en français
NETSEC vous informe de la presence d'un Trojan  qui infiltre des ordinateurs dans le monde. Ils ont surpris un groupe de pirates entrain de compromettre plusieurs miliers d'ordinateurs connectés à Internet par le câble ou des liaisons DSL


NETSEC detected the Trojan on one of its PCs as it unsuccessfully attempted to contact the hackers across the company’s networks. The company quickly isolated and analyzed the Trojan, and later contacted government law enforcement officials at the National Infrastructure Protection Center (NIPC). NETSEC security engineers then followed the Trojan’s communications and monitored Internet conversations among hackers in Maine, Canada, and elsewhere.

The hackers “Serbian”, “Badman”, and others bragged and laughed about their successful attacks on networks as well as the sheer numbers of machines that they had compromised. The hackers execute their attacks by distributing a “Trojan”, which is a piece of malicious code embedded inside a legitimate downloadable file. The file infiltrates a PC and contacts the hackers over a network to offer them full control of the computer while it’s connected to the Internet.

“Due to the wide-scale nature of the infection, the hackers could easily use the compromised machines to launch a distributed denial of service attack, such as the one that recently disabled major e-Commerce web sites,” stated Jerry Harold, NETSEC’s President and cofounder. NETSEC has identified over 2,000 computer systems within the last few days that have been comprised by this Trojan. The compromised systems include major corporations throughout the U.S., Canada, Europe, and the Eastern Block.

This is a unique implementation of a known Trojan called "Backdoor.SubSeven21". This version is noteworthy because so many PCs have been infected without detection and it is actively being used by hackers. The malicious part of the code is compressed to avoid detection when the video or host file is executed. In addition, it changes its name each time it is installed on a computer and it is not visible to users as other programs are. Once installed, it cannot be deleted easily. Virus detection software appears only to detect the Trojan after it is fully executed and only when the user manually scans the PC.

"More and more stealthy, sophisticated attacks such as this are being designed to evade detection by common security products," stated Ken Ammon, NETSEC's CEO and cofounder. "These attacks illustrate how essential it is for security products to be managed by trained security professionals who understand how to use the products to detect, analyze, and eliminate these security incidents."

"The recent denial of service attacks on major web sites combined with this attack are just the tip of the iceberg," states Ken Ammon. "This is not a fad but very real trend that will only get worse. Protection against this type of modern warfare requires next generation security techniques. Those techniques involve around-the-clock monitoring and management of state-of-the-art security products by trained security professionals."

The Trojan, which was detected "in the wild," is transported within another executable file that contains a compressed, malicious executable (".exe"). The compression is designed to prevent detection of the malicious code by virus scanning software. When the user attempts to execute the legitimate file, the malicious executable decompresses and installs itself on the hard drive, typically in the top level of the Windows directory (c:\windows\). Upon reboot, the malicious code loads itself in to the system, renames itself by assigning a randomly generated name, modifies the system.ini, win.ini and the Windows Registry, and installs a service that makes an outbound connection to one of two modified Internet Relay Chat (IRC) servers. The Trojan establishes the outbound connection over random ports on the infected machine while attempting to connect to well known ports on the IRC Servers (6669, 2221, 2222, 7000). Once established, the Trojan passes the compromised computer's IP Address, and then opens a random listening port on the compromised machine by which an adversary can connect back into.
 

For detection of port probing

For a list of trojan 

For a list of port definitions

On the Net: NETSEC: http://www.netsec.net/

 

 

 

 

 

 

 
Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juin 10, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.