ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

Stealthy Trojan horse attempts to gather data on Web sites

October 22, 1999
Web posted at: 11:17 a.m. EDT (1517 GMT)

by Sean M. Dugan

From...
InfoWorld

(IDG) -- In a scenario not unlike a story line from a Tom Clancy novel, the Systems Administration Networking & Security (SANS) Institute is reporting what appears to be a widespread attempt to gather information on proxy servers and send that information to a Russian Web site.

  ALSO
Navy issues warning on Y2K Trojan horse
 
Members of the SANS Institute became aware of suspicious network activity on Sept. 30. Essentially, they found a pattern of unusual Internet-wide port scanning of proxy servers. A port scan looks for active or open ports and is usually the first step in an intrusion attempt, which is why it got the attention of the network administrators.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  InfoWorld home page
  InfoWorld forums home page
  InfoWorld Internet commerce section
  Get Media Grok and The Industry Standard Intelligencer delivered for free
 Reviews & in-depth info at IDG.net
  IDG.net's personal news page
  Year 2000 World
  SANS Institute battles cyberterrorism
  China, Russia possibly stole IT missile data, GAO says
  Microsoft 'support' e-mail a Trojan hoax
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for IT leaders
  Search IDG.net in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute
   

On Oct. 7, SANS Institute members started to try to piece together what was happening. They found what appears to be a Trojan horse application, dubbed RingZero, which systematically searches out and probes proxy servers from an infected machine and sends that information to a central Web server.

The RingZero Trojan horse, which gets its name from a component called Ring0.vxd first discovered at Vanderbilt University, appears to be divided into two distinct parts, both of which arrive on a system as compressed archives. One component, pst.exe, probes for proxy servers and has the proxy servers send port information and IP numbers to the Web site rusftpsearch.com. The pst.exe component apparently scans ports 80, 8080 and 3128, and other 8000 series ports.

The other component, its.exe, creates an empty its.dat file and entry in the infected machine's hosts file. Upon reboot, its.exe tries to retrieve another its.dat file from one of several Web servers on the Internet. The purpose of the its.dat file is not clear, as it appears to be encrypted.

The SANS institute characterizes RingZero as a systematic attempt to gather information on proxy servers, which are extensively used in a variety of Internet applications, such as network access, commerce, and e-mail. It is unclear at this point what the actual source of the Trojan horse infection is.

Inquiries to the administrative contacts for rusftpsearch.net site were not answered. The registered domain holder, Black Harmer, lists an address in Germany, and a Russian free e-mail account address.

The SANS Institute's investigation is still underway, and it is recommending that network administrators take note of unusual port activity on ports 8080 and 3128. It also recommends that administrators who notice unusual activity should check their servers' logs for unusual connections and their directories for odd or unfamiliar cgi scripts.

Sean M. Dugan is the senior research editor in InfoWorld's Test Center.


RELATED STORIES:
The hacker in all of us
October 12, 1999
Security weaknesses prevalent at Treasury's FMS
October 11, 1999
Bike Web site hacks itself after four attacks
October 4, 1999
Embassy site hackers aimed to show its vulnerability
September 8, 1999
Hackers put racist, anti-government slogans on embassy site
September 7, 1999
New tool blocks wily e-comm hacker tricks
September 7, 1999

RELATED IDG.net STORIES:
China, Russia possibly stole IT missile data, GAO says
(Federal Computer Week)
Microsoft 'support' e-mail a Trojan hoax
(InfoWorld Electric)
U.S. aims to fight attacks on financial systems
(InfoWorld Electric)
Navy issues warning on Y2K Trojan horse
(Federal Computer Week)
Official outlines years of cybersecurity problems at U.S. nuclear weapons labs
(Federal Computer Week)
Trojan horse hits ICQ subscribers
(InfoWorld Electric
New Trojan horse strain may go mainstream
(Computerworld)
SANS Institute battles cyberterrorism
(Computerworld)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
The SANS Institute
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.