[ISN] 'Trojan horse' program steals passwords

From: mea culpa (jerichoat_private)
Date: Wed Mar 24 1999 - 23:32:21 PST

  • Next message: mea culpa: "[ISN] ASIO cleared to hack into computers"

    Wednesday, March 24, 1999 Published at 17:52 GMT 
    'Trojan horse' program steals passwords
    A free e-mail program called ProMail is stealing users' names and
    passwords and sending them to an unknown person. 
    The information allows simple access to the victims' messages. 
    The recipient is presumably the creator of what is termed a "Trojan horse"
    virus. A teenager called "David" has claimed responsibility in an e-mail
    to Ken Williams, who runs Packet Storm Security, a Web security site. 
    The message was sent from an anonymous address and so cannot be verified. 
    "I just wanted to increase the public's awareness on the problem of
    Internet privacy," the "David" character said. 
    "If a program written by a teenager can be spread SO EASILY over the Net,
    unchecked, and even be used by the Armed Forces, then something must be
    "But let me assure all you people using ProMail, I did not use, store,
    sell or do anything with your passwords or other data. And I did not
    download your mail." 
    Security implications In an e-mail earlier this week, Ken Williams said:
    "The security implications and severity of the situation are truly
    He believes hundreds of thousands of account names and passwords may have
    been harvested by ProMail. Some in the Net security community think it is
    the most widely distributed Trojan ever. 
    ProMail v1.21 has been widely available through major freeware sites such
    as shareware.com and simtel.net. It has been made available on at least
    114 other sites and it is impossible to know when, even if, it will be
    removed from all sites. 
    The virus works by gathering the username, password and server name for
    the 'POP3' system, which transfers e-mail from the server to the user, and
    then packages the information up and sends it all off in an e-mail. 
    Ian Whalley, Senior Programmer with UK anti-virus software company Sophos
    PLC, told BBC News Online: "POP3 is very prevalent these days - it's in
    use everywhere." 
    Nightmare problem 
    "On the face of it, private e-mail is the major problem, as corporations
    tend not to use POP3. But it's very hard to tell as it is very widely
    "A Trojan horse in this type of application is new. You could in theory
    disinfect it, but there are plenty of other e-mail clients out there, so
    it's best just to get rid of ProMail."
    Whalley says wiping ProMail from the Web will be extremely hard: "You
    could trace all the logs back but it would be a nightmare."
    ProMail's creator used open source code for the core program, which works
    very well. He then inserted the Trojan horse. 
    The program seems to have been made available around 24 February. The
    problem was first publicised on the Bugtraq news group on 19 March by Aeon
    Labs and was confirmed by Pine Security Digest. 
    Aeon tracked where the password-carrying e-mail messages were sent to - a
    free web-based account. In the messages already there, they found details
    of e-mail accounts from Microsoft, the US Army and a video games company
    Simtel no longer makes ProMail available. It has also given what
    information it has about the supplier of ProMail to the FBI, US Army
    Counterintelligence and Interpol. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:21:27 PDT