ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




Stealthy Trojan horse attempts to gather data on Web sites

October 22, 1999
Web posted at: 11:17 a.m. EDT (1517 GMT)

by Sean M. Dugan


(IDG) -- In a scenario not unlike a story line from a Tom Clancy novel, the Systems Administration Networking & Security (SANS) Institute is reporting what appears to be a widespread attempt to gather information on proxy servers and send that information to a Russian Web site.

Navy issues warning on Y2K Trojan horse
Members of the SANS Institute became aware of suspicious network activity on Sept. 30. Essentially, they found a pattern of unusual Internet-wide port scanning of proxy servers. A port scan looks for active or open ports and is usually the first step in an intrusion attempt, which is why it got the attention of the network administrators.

  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at's personal news page
  Year 2000 World
  SANS Institute battles cyberterrorism
  China, Russia possibly stole IT missile data, GAO says
  Microsoft 'support' e-mail a Trojan hoax
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

On Oct. 7, SANS Institute members started to try to piece together what was happening. They found what appears to be a Trojan horse application, dubbed RingZero, which systematically searches out and probes proxy servers from an infected machine and sends that information to a central Web server.

The RingZero Trojan horse, which gets its name from a component called Ring0.vxd first discovered at Vanderbilt University, appears to be divided into two distinct parts, both of which arrive on a system as compressed archives. One component, pst.exe, probes for proxy servers and has the proxy servers send port information and IP numbers to the Web site The pst.exe component apparently scans ports 80, 8080 and 3128, and other 8000 series ports.

The other component, its.exe, creates an empty its.dat file and entry in the infected machine's hosts file. Upon reboot, its.exe tries to retrieve another its.dat file from one of several Web servers on the Internet. The purpose of the its.dat file is not clear, as it appears to be encrypted.

The SANS institute characterizes RingZero as a systematic attempt to gather information on proxy servers, which are extensively used in a variety of Internet applications, such as network access, commerce, and e-mail. It is unclear at this point what the actual source of the Trojan horse infection is.

Inquiries to the administrative contacts for site were not answered. The registered domain holder, Black Harmer, lists an address in Germany, and a Russian free e-mail account address.

The SANS Institute's investigation is still underway, and it is recommending that network administrators take note of unusual port activity on ports 8080 and 3128. It also recommends that administrators who notice unusual activity should check their servers' logs for unusual connections and their directories for odd or unfamiliar cgi scripts.

Sean M. Dugan is the senior research editor in InfoWorld's Test Center.

The hacker in all of us
October 12, 1999
Security weaknesses prevalent at Treasury's FMS
October 11, 1999
Bike Web site hacks itself after four attacks
October 4, 1999
Embassy site hackers aimed to show its vulnerability
September 8, 1999
Hackers put racist, anti-government slogans on embassy site
September 7, 1999
New tool blocks wily e-comm hacker tricks
September 7, 1999

China, Russia possibly stole IT missile data, GAO says
(Federal Computer Week)
Microsoft 'support' e-mail a Trojan hoax
(InfoWorld Electric)
U.S. aims to fight attacks on financial systems
(InfoWorld Electric)
Navy issues warning on Y2K Trojan horse
(Federal Computer Week)
Official outlines years of cybersecurity problems at U.S. nuclear weapons labs
(Federal Computer Week)
Trojan horse hits ICQ subscribers
(InfoWorld Electric
New Trojan horse strain may go mainstream
SANS Institute battles cyberterrorism
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

The SANS Institute
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.