[ISN] Word Macro PGP Key Trojan

From: mea culpa (jerichoat_private)
Date: Tue Feb 02 1999 - 12:53:38 PST

  • Next message: mea culpa: "[ISN] Virtual Client Headache"

    From: Fred Cohen <fcat_private>
    Subject: New attack on PGP keys with a Word Macro
    I just got a look at a Word file (CALIG.DOC) that contains user IDs and
    passwords to pornographic sites.  In addition to these pointers, it has a
    Trojan Horse that finds the user's private PGP key ring and ftp's it to: 
            user anonymous
            password itsme@
            directory incoming
            binary mode
            stored name: NewSecRingFile[0-9][0-9][0-9][0-9]
    This Trojan does its job in visual basic and - except for the initial
    notice (if enabled) that macros are present - gives no indication of this
    function that it performs. I figure the best defense against this is to: 
    1) Have thousands of users ftp phony files to that IP address
       and filename on a regular basis, thus making it impossible to
       get any real PGP keys - preferably send valid-looking PGP keys
       so they have to waste a lot of time cracking them.
    2) Cut off all service for ftp with (codebreakers.org)
       - either at the ISP, at your gateway, or at the borders to your country.
    3) Prosecute for possession of access devices - with international
       cooperation between authorities.
    4) Tell your people that this has been done so they will stop looking at
       pornography listing files fat chance this will work).
    At any rate, I hope that you will take prudent precautions within your
    organization against this potential attack on the security of your private
    Fred Cohen & Associates: http://all.net - fcat_private - tel/fax:925-454-0171
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:53 PDT