RE: [SPAM] RE: [Full-Disclosure] interesting trojan found

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 10/21/04

  • Next message: Florian Rock: "SQL Injection in UBB.threads 3.4.x" 
    To: <kruse@krusesecurity.dk>, <full-disclosure@lists.netsys.com>
Date: Thu, 21 Oct 2004 11:40:59 -0500

    I see.

    For some reason, I was thinking he couldn't see it in systemprocess, but
    now that I think about it, you are correct. So it was hiding but not
    very well, therefore not the true trojan/rootkit hybrid. Thanks Peter.

    > -----Original Message-----
    > From: Peter Kruse [mailto:kruse@krusesecurity.dk]
    > Sent: Thursday, October 21, 2004 11:33 AM
    > To: Todd Towles; full-disclosure@lists.netsys.com
    > Subject: SV: [SPAM] RE: [Full-Disclosure] interesting trojan found
    >
    > Hi Todd,
    >
    > >But if it is a rootkit, does it not hide from normal AV scanning?
    >
    > Nope, you'll see it in the systemprocess, but since it's
    > active in memory, you won't be able to end it.
    >
    > The trojan is a RDBot variant (Spybot). Like other variants,
    > from this string, it spreads across local and remote
    > networks. It's uses several exploits to compromise unpactched
    > MS Windows boxs, as well as searches for shares with weak
    > passwords. When executed, it creates a mutex "[rxBot v0.6.5
    > pk + ftpd]". If another instance of this worm is already
    > running, it will exit. The malware carries a backdoor that
    > allows a malicious user to control the infected host through
    > IRC channels. As stated in the first posting, it droppes a
    > copy of itself to the windows system folder. Nextup it
    > modifies registry with several runas keys under the value
    > "update run msword".
    >
    > This RDbot includes a keylogger, that will log all keyboard
    > activity and save this to a text file. A remote user can
    > collect this information through IRC and possibly gain access
    > to others services.
    >
    > ---
    > Med venlig hilsen // Kind regards
    >
    > Peter Kruse, Voice: (+45) 88136030
    > Security- and virusanalyst, Cel (+45) 28490532
    > CSIS ApS Fax (+45) 28176030
    > http://www.csis.dk E-mail pkr@csis.dk
    >
    > PGP fingerprint
    > 79FD 0648 158E 6B9E 236F CFDA 7C58 64D6 BE83 FA60
    >
    > Combined Services & Integrated Solutions Gevno Gade 11a 4660
    > Store Heddinge, Denmark
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Florian Rock: "SQL Injection in UBB.threads 3.4.x"