Next message: mea culpa: "[ISN] CfP: 11th Annual Computer Security Incident Handling Conference"
Forwarded From: phreak moi <hackerelite�t_private>
http://www.wired.com/news/news/technology/story/15432.html
Geocities Rebuffs Trojan Horse
by Michael Stutz
5:15 p.m. 5.Oct.98.PDT
An estimated 15,000 users of Internet Relay Chat, a global chat network,
have been infected with a Trojan horse programmed to retrieve a file from
the GeoCities Web site. It's an especially ominous exploit, since it
allows malicious users to take control of an infected machine once the
program has landed.
In an email message sent Friday to the Bugtraq security mailing list,
GeoCities system administrator Debbie Barba said the company's Web servers
were receiving thousands of requests daily from unique computers for the
file, which no longer exists on its servers.
"The specific count for one minute on Friday, September 25 at 10:17 a.m.
was 3,522 hits," Barba said in the message.
Barba said that the request does not use a Web browser and occurs every 30
seconds while the user is connected to the Internet. The requests have
been building up since 18 August -- the oldest date in the GeoCities Web
server's access logs -- and were for "nfo.zip," a file that was stored in
the directory of a GeoCities member.
The Trojan horse currently infects Microsoft's Windows 95 and 98 operating
systems, and so far the mIRC client software is the most frequently used,
according to George Imburgia, a systems administrator at Delaware
Technical & Community College, who spent the better part of the weekend
researching the problem. The requests are "not even a blip on the radar
screen," said Bruce Zanca, GeoCities' vice president of communications.
They have not affected service to GeoCities customers, the company's Web
servers have experienced no downtime, and no GeoCities users have been
denied access because of them.
Machines get infected through IRC's file transfer system. After a user
connects to a bot that offers pirated software, for instance, the
setup.exe file can plant the Trojan.
The Trojan uses UDP port 31337 -- which is the same one used by Back
Orifice, a Windows 95 Trojan released in August by the hacker group Cult
of the Dead Cow. And similar to Back Orifice, Imburgia said the Trojan
could allow a malicious user to take control of an infected machine,
regardless of whether it is connected to IRC.
"This Trojan gives almost complete control to the remote user," he said.
"They can take screen captures, read, alter, or delete files, and open
connections to other systems from the infected system. They can run hidden
or visible programs, see all processes running on the machine, or use the
machine for network attacks on other systems."
On Saturday, a new variant of the Trojan was discovered that gets its
configuration data from a different GeoCities page, Imburgia said.
While Dead Cow member "Deth Veggie" said he was unaware of this
particular Trojan, he said that it was a good possibility that it was a
Back Orifice plug-in, since it contained the telltale 31337 connection.
It has been estimated that at least 15,000 computers are infected, all of
which will have to either clean their machines of the Trojan or completely
reinstall their operating system.
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 13:06:34 PDT