[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Analysis of a Spam Trojan
- To: eckman@xxxxxxx
- Subject: Re: [Full-Disclosure] Analysis of a Spam Trojan
- From: Joe Stewart <jstewart@xxxxxxxxx>
- Date: Thu, 25 Sep 2003 15:06:49 -0400
On Thu, 25 Sep 2003 12:04:14 -0500, Brian Eckman wrote:
> It is unknown how the audio.exe file got onto the computer hard drive
> in the first place.
It is almost guaranteed to have been via the MS03-032 IE object tag
vulnerability. The trojan you found is a variant of the Autoproxy
trojan, which has been known to use that infection vector on a large
scale. Some AV companies detect it as Coreflood because it shares a lot
of the same code, likely because it is by the same author. You are
correct in your analysis that it is not a DDoS bot, but instead is a
spam tool. Here is an analysis I did on a recent variant that uses a
different master server and contacts cnet.com instead of microsoft.com:
http://www.lurhq.com/autoproxy.html
Here is another Snort signature you can use to detect when an infected
user attempts to contact its controlling server:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Autoproxy Trojan
control connection"; content: "|0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a
20 41 75 74 6f 70 72 6f 78 79 2f|"; classtype:trojan-activity;
sid:1000028; rev:1;)
It is interesting to note the connection between the DDoS trojan and the
spam-proxy trojan here, in light of the recent DDoS attacks on spam
blackhole lists.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html