First off, I'm not 100% sure if this is the apropriate forum for this
since it's not really a weakness, but rather a programmer who is putting
backdoors
into some programs. Then again technically that's an exploits... Oh I
don't know. If this is the wrong place then I apologize profusely for the
waste of bandwidth and plead ignorance, but here goes:
Well, chances are none of you guys have ever used this program, or even
heard of it, but there are alot (35,000) of people who have. I originally
downloaded it becasue I've been researching a lot of the weaknesses in the
ICQ protocol, (which has become easier as time has gone on. :)) Anyway,
after
you run it, (ICKill), it creates a file in the directory called 1.exe that
acts as a
fake explorer. 1.exe accesses your regedit database, and copies itself to
windows/system. It changes the regedit so that the fake one will run on
startup. It acts mostly the same as the normal explorer with one very
crucial execption. It contacts a host (I still can't figure out which one),
and executes the commands that are embedded within a text file on the
computer. Anyone see it yet? Backdoor city. I contacted the author (who left
his e-mail address in the readme), and he's the one who explained th
backdoor thing. He also told me a few other things that made me write up to
this group.
He said that he had gotten almost 35,000 different people's systems
calling up his computer at one point; essentuially he has backdoors to
35,000 systems accross the globe. When I asked him why he would go through
all the trouble to do this he gave me two reasons:
1. IF (and he emphasized the if) he was a hacker he could use a couple of
other people's computers as hops when hacking into a system. Kind of nasty
for the sysadmin trying to trace a breaking huh?
2. To quote him "And the backdoors can auto-uptade themselves.. so Imagine I
can code a virus like backdoor... Whoaaa! This will be like THAT internet
worm.."
3. He also said "Imagine also.. 35,000 backdoored (yeah, I reached this
number)
connections pinging or SYN flooding some server.."
Well if anyone out there is using or has ever used ICKill then get rid of
it. I have actually set up a page on this to both inform people and explain
how to get rid of all traces of the program that I currently am able to at
http://members.tripod.com/~hakz/ICQ/index.html That site also has all of the
letters I wrote to him and he wrote to me if you want to see the entire
things. It's also got some other info I couldn't fit into this message,
including all of the mistakes the author made (guess he needed better beta
testing). My
last question is this: if one person has backdoors into thousands of
computer systems, doesn't that pose some sort of risk to the interent
community as a whole? There's one person who's been saying that I should
notify the FBI about this. As you can see decided to start here first.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:50 PDT