Re: New trojan? Old trojan with new characteristics? Anyone seenthis?

From: Alex Lambert (alambert@quickfire.org)
Date: 04/11/03

  • Next message: incidents@mwwm.net: "Port 17300 probes?"
    From: "Alex Lambert" <alambert@quickfire.org>
    To: "Mike Parkin" <mparkin@cisco.com>, <incidents@securityfocus.com>
    Date: Thu, 10 Apr 2003 19:55:08 -0500
    
    

    Mike,

    I received word of something similar from one of my opers on February 17th.
    Ancient, an operator from irc.bigpond.com, notified irc.webchat.org's nohack
    team about this:

    <Ancient> just for your info a new trojan / drone is making rounds and it
    may be hard to sport on CR
    <Ancient> the ident = javauser
    <Ancient> full name follows pattern 99999 1
    <Ancient> the nicknames resemble first names and seem to be derived from
    some nick dictionary
    <Ancient> we run CR and we observed it growing very fast
    <Ancient> few connections on saturday to 100s today
    <Ancient> I noticed heaps of them on Undernet but they are too ignorant to
    care
    <Ancient> i posted an IRC CERT notice but it seems delayed
    <Ancient> how many lines can I post here before getting done for flooding?
    <Ancient> as I'm about to send a fragment of perl code that can detect this
    bot, if you know how to code using net::irc
    <Ancient> # exploit pattern ident:javauser real:99999 9
    <Ancient> my (@realwords) = split(" ",$real);
    <Ancient> if ($ident =~ /^javauser$/) {
    <Ancient> if ($nickname !~ /^guest[[:digit:]]{5}$/i) {
    <Ancient> if ($realwords[1] =~ /^[[:digit:]]{4,5}$/) {
    <Ancient> if ($realwords[2] =~ /^[[:digit:]]{1}$/) {
    <Ancient> &akill($self, $nickname, $host,"Exploit\:javauser");
    <Ancient> } } } }
    <Ancient> richard, if you got my previous info re:javauser trojan, there is
    one more fact about it - it never seems to be using port 7000

    You might want to consider subscribing to irc-cert at
    http://cert-irc.cyberabuse.org/

    Cheers,

    Alex Lambert
    irc.liveharmony.org
    alambert@quickfire.org

    Mike Parkin wrote:
    > Not often I post to the list.
    >
    > Lately the IRC network I help run (away from work) has seen a large
    > number of host connections with a pattern similar to numerous other
    > trojan/malware infections that have an IRC element. Namely: Similar
    > nicks, user@, and real name fields. In this case the nicks are all
    > one
    > of several similar patterns (repeats lead us to believe it may be
    > chosen from a list), the User@ is always javauser@ (I haven't
    > actually seen a legitimate java client with this ident, though there
    > may well be one.)
    > and the Real Name field is always a pattern of "nnnnn 1" where nnnnn
    > is
    > a five digit random number.

    ----------------------------------------------------------------------------
    Is SPAM over-loading your e-mail server, disk space or bandwidth?
    SurfControl E-Mail Filter is flexible, intelligent and policy-driven
    protection.
    http://www.securityfocus.com/SurfControl-incidents2
    Download your free fully functional
    trial, complete with 30-days of free technical support.
    Stop SPAM before it stops you.
    ----------------------------------------------------------------------------


  • Next message: incidents@mwwm.net: "Port 17300 probes?"