('binary' encoding is not supported, stored as-is) Hello, Last week we have detected a possibly new backdoor trojan on a Windows 2000 computer. This trojan acts as a proxy server, using the hacked computer as a 'zombie' server. The developer of the software made a great deal of effort to make it hidden. The process is not visible in the Windows Task Manager. The directories containing the files are not visible to the local administrator. Parts of the 'services' registry keys are made hidden and no TCP 'listening'-ports can be seen using the 'netstat' command. I collected the following files: In C:\WINNT\SYSTEM32: 25-01-2003 03:33 20.480 mspxss.exe Contents of C:\WINNT\SYSTEM32\MUI\DISPSPEC\MSPXCOMMON\COM1\MSPX directory: 19-02-2003 14:55 <DIR> cache 24-07-1999 22:03 45.056 inuse.exe 26-02-2002 12:25 33.792 mspx-csrss.exe 10-03-2002 00:54 1.011.773 mspx-smss.exe 26-06-2000 14:07 323.072 mspx-sw.exe 26-06-2000 14:07 323.072 mspx-sw2.exe 26-06-2000 14:07 323.072 mspx-sw3.exe 25-01-2003 03:37 36 mspxmmedia_Restart.log 25-01-2003 03:37 36 mspxssext_Restart.log 25-01-2003 03:37 36 mspxss_Restart.log 30-01-2002 18:21 20.480 pv.exe 10-04-2002 03:42 107.008 reboot.exe 10-01-2003 01:45 1.243 svc-rst.reg 08-05-2002 10:50 45.056 xcacls.exe The directory above is NOT VISIBLE on 'infected' computers. But due to a programming flaw an empty directory C:\DEV is always created, because somewhere in the program the output is incorrectly redirected to /dev/null. Is this really an unknown backdoor? No anti virus software seem to detect is, nor programs like MooSoft's 'The Cleaner'. -Sven ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core
This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 15:38:50 PST