[ISN] Another BO detector that is actually a trojan

From: mea culpa (jerichoat_private)
Date: Wed Sep 02 1998 - 04:54:21 PDT

  • Next message: mea culpa: "[ISN] Acceptable Risks (ecommerce/security)"

    Forwarded From: Ken Williams <jkwilli2at_private>
    
    -----BEGIN PGP SIGNED MESSAGE-----
    
    
    Hi,
    
         I recently came across a program called "BoSniffer.zip" that the
    author claims will "block key points in the registry from BO as well as
    search for existing installs of the backdoor."
    
         Close examination has revealed that this is actually a BO server
    with the "SpeakEasy" plugin installed.  If you run "BoSniffer.exe", the
    BoSniffer executable (read: BO Server Trojan w/ SpeakEasy) will "attempt
    to log into a predetermined IRC server on channel #BO_OWNED with a random
    username.  It then proceeds to announce its IP address and a custom
    message every few minutes."
    
         This program, "BoSniffer.zip" is currently being widely distributed
    as a "cure for Back Orifice infections".  It is probably being distributed
    with other software packages and with other names too.  Listed below are
    relevant details about this program.
    
    
    File Sizes (in bytes)
    ---------------------
    231068 BoSniffer.exe
    108573 BoSniffer.zip
    
    MD5 fingerprints and strings (checksums)
    ----------------------------------------
    MD5 (BoSniffer.zip) = 2d75c4ac54b675778ff22f76f9a6a77f
    MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21
    
    MD5 (BoSniffer.exe) = 63748087b2e1598fcf34498b0295212e
    MD5 ("string") = b45cffe084dd3d20d928bee85e7b0f21
    
    
    Evidence that BoSniffer.zip is really BO Server with SpeakEasy Plugin
    ---------------------------------------------------------------------
    sector 0x028C38
    irc.lightning.net:7000:Hey MASTER where are u!!!
    
    sector 0x0303F0 - sector 0x0306D8
    BO ButtPlugs and goodies...http://www.netninja.com/bo.html
    AJ Reznor: The pierced, tattooed grand master god of flame wars!
    Who is John Galt?
    Yes, you too can own my box with this special introductory offer of $0.00!
    I'm sad to see Kontrol Faktory go away.
    Use Linux!
    This box is now property of the Illuminati.
    <<tap>> <<tap>> <<tap>>...Is this thing on?
    Where do *YOU* want to go today?!
    
    sector 0x031848
    SpeakEasy.dll
    
    sector 0x0318A8 - sector 0x031980
    #BO_OWNED with IRC commands:
    Own Me @ .NOTICE .JOIN #BO_OWNED host server :Owned USERNICK BO
    .QUIT Psssst...Speakeasy was told to shut down
    .NOTICE #BO_OWNED :Psssst...Speakeasy just started up
    
    
    You get the idea by now, hopefully.
    
    Instructions on removing BO Servers from compromised servers can be
    found at:  http://www.iss.net/xforce/alerts/advise5.html
    or by searching through the NTBUGTRAQ archives at:
    http://ntbugtraq.ntadvice.com/archives/
    
    If anyone wants a copy of BoSniffer.zip for further examination, send
    email to Packet Storm Security at PacketStormat_private
    Please note that we will disregard any non-corporate or suspicious
    requests.
    
    Regards,
    
    Ken Williams
    
    Packet Storm Security http://www.Genocide2600.com/~tattooman/index.shtml
    E.H.A.P. Corporation  http://www.ehap.org/  ehapat_private infoat_private
    NCSU Comp Sci Dept    http://www.csc.ncsu.edu/ jkwilli2at_private
    PGP DSS/DH/RSA Keys   http://www.genocide2600.com/cgi-bin/finger?tattooman
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 5.0i for non-commercial use
    Charset: noconv
    
    iQEVAwUBNerX1ZDw1ZsNz1IXAQF5UQf/VygM5JDLYU7TiDQn6Isa3sC9glgrGumU
    snhykpFm3b4lYYnoZY+PQUabptp8KWfvB4Hf/4vc3sDJca62Zzh1QRgAzOnWbcPl
    fA7+eQNn+bVn6k91TIaEfllhA4CMB/U8L21pPBIuL4KYOmPyB/qXprRyqrg06AQ7
    KsdZ5krEYxrSVHJa1TcFws1OCoQeK7sX9C3x/Ys9v42k3nGthVJw3UAXTCisf3av
    glUe0jvDsMGtT9pFnq9Mg/iHeMA+uHMOGjkdU9/PDDunJ9DBht49ZLLAxdfy6nYH
    5PuQMH268XsCDbT/aFxYem8iYe8oPDgGDFFQSQ4j8bLjQR+RpPr5Aw==
    =c3QA
    -----END PGP SIGNATURE-----
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:59 PDT