From: Fred Cohen <fcat_private> Subject: New attack on PGP keys with a Word Macro I just got a look at a Word file (CALIG.DOC) that contains user IDs and passwords to pornographic sites. In addition to these pointers, it has a Trojan Horse that finds the user's private PGP key ring and ftp's it to: 209.201.88.110 (codebreakers.org) user anonymous password itsme@ directory incoming binary mode stored name: NewSecRingFile[0-9][0-9][0-9][0-9] This Trojan does its job in visual basic and - except for the initial notice (if enabled) that macros are present - gives no indication of this function that it performs. I figure the best defense against this is to: 1) Have thousands of users ftp phony files to that IP address and filename on a regular basis, thus making it impossible to get any real PGP keys - preferably send valid-looking PGP keys so they have to waste a lot of time cracking them. 2) Cut off all service for ftp with 209.201.88.110 (codebreakers.org) - either at the ISP, at your gateway, or at the borders to your country. 3) Prosecute for possession of access devices - with international cooperation between authorities. 4) Tell your people that this has been done so they will stop looking at pornography listing files fat chance this will work). At any rate, I hope that you will take prudent precautions within your organization against this potential attack on the security of your private keys. Fred Cohen & Associates: http://all.net - fcat_private - tel/fax:925-454-0171 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:17:53 PDT