[ISN] Geocities Rebuffs Trojan Horse

From: mea culpa (jerichot_private)
Date: Tue Oct 06 1998 - 14:45:15 PDT

  • Next message: mea culpa: "[ISN] CfP: 11th Annual Computer Security Incident Handling Conference"

    Forwarded From: phreak moi <hackerelitet_private>
    Geocities Rebuffs Trojan Horse
    by Michael Stutz
    5:15 p.m.  5.Oct.98.PDT
    An estimated 15,000 users of Internet Relay Chat, a global chat network,
    have been infected with a Trojan horse programmed to retrieve a file from
    the GeoCities Web site. It's an especially ominous exploit, since it
    allows malicious users to take control of an infected machine once the
    program has landed. 
    In an email message sent Friday to the Bugtraq security mailing list,
    GeoCities system administrator Debbie Barba said the company's Web servers
    were receiving thousands of requests daily from unique computers for the
    file, which no longer exists on its servers. 
    "The specific count for one minute on Friday, September 25 at 10:17 a.m.
    was 3,522 hits," Barba said in the message. 
    Barba said that the request does not use a Web browser and occurs every 30
    seconds while the user is connected to the Internet. The requests have
    been building up since 18 August -- the oldest date in the GeoCities Web
    server's access logs -- and were for "nfo.zip," a file that was stored in
    the directory of a GeoCities member. 
    The Trojan horse currently infects Microsoft's Windows 95 and 98 operating
    systems, and so far the mIRC client software is the most frequently used,
    according to George Imburgia, a systems administrator at Delaware
    Technical & Community College, who spent the better part of the weekend
    researching the problem. The requests are "not even a blip on the radar
    screen," said Bruce Zanca, GeoCities' vice president of communications.
    They have not affected service to GeoCities customers, the company's Web
    servers have experienced no downtime, and no GeoCities users have been
    denied access because of them. 
    Machines get infected through IRC's file transfer system. After a user
    connects to a bot that offers pirated software, for instance, the
    setup.exe file can plant the Trojan. 
    The Trojan uses UDP port 31337 -- which is the same one used by Back
    Orifice, a Windows 95 Trojan released in August by the hacker group Cult
    of the Dead Cow.  And similar to Back Orifice, Imburgia said the Trojan
    could allow a malicious user to take control of an infected machine,
    regardless of whether it is connected to IRC. 
    "This Trojan gives almost complete control to the remote user," he said. 
    "They can take screen captures, read, alter, or delete files, and open
    connections to other systems from the infected system. They can run hidden
    or visible programs, see all processes running on the machine, or use the
    machine for network attacks on other systems." 
    On Saturday, a new variant of the Trojan was discovered that gets its
    configuration data from a different GeoCities page, Imburgia said. 
    While Dead Cow member "Deth Veggie"  said he was unaware of this
    particular Trojan, he said that it was a good possibility that it was a
    Back Orifice plug-in, since it contained the telltale 31337 connection. 
    It has been estimated that at least 15,000 computers are infected, all of
    which will have to either clean their machines of the Trojan or completely
    reinstall their operating system. 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:34 PDT