Stealthy Trojan horse attempts to gather data on Web sites
(IDG) -- In a scenario not unlike a story line from a Tom Clancy novel, the Systems Administration Networking & Security (SANS) Institute is reporting what appears to be a widespread attempt to gather information on proxy servers and send that information to a Russian Web site.
On Oct. 7, SANS Institute members started to try to piece together what was happening. They found what appears to be a Trojan horse application, dubbed RingZero, which systematically searches out and probes proxy servers from an infected machine and sends that information to a central Web server.
The RingZero Trojan horse, which gets its name from a component called Ring0.vxd first discovered at Vanderbilt University, appears to be divided into two distinct parts, both of which arrive on a system as compressed archives. One component, pst.exe, probes for proxy servers and has the proxy servers send port information and IP numbers to the Web site rusftpsearch.com. The pst.exe component apparently scans ports 80, 8080 and 3128, and other 8000 series ports.
The other component, its.exe, creates an empty its.dat file and entry in the infected machine's hosts file. Upon reboot, its.exe tries to retrieve another its.dat file from one of several Web servers on the Internet. The purpose of the its.dat file is not clear, as it appears to be encrypted.
The SANS institute characterizes RingZero as a systematic attempt to gather information on proxy servers, which are extensively used in a variety of Internet applications, such as network access, commerce, and e-mail. It is unclear at this point what the actual source of the Trojan horse infection is.
Inquiries to the administrative contacts for rusftpsearch.net site were not answered. The registered domain holder, Black Harmer, lists an address in Germany, and a Russian free e-mail account address.
The SANS Institute's investigation is still underway, and it is recommending that network administrators take note of unusual port activity on ports 8080 and 3128. It also recommends that administrators who notice unusual activity should check their servers' logs for unusual connections and their directories for odd or unfamiliar cgi scripts.
Sean M. Dugan is the senior research editor in InfoWorld's Test Center.
The hacker in all of us
RELATED IDG.net STORIES:
China, Russia possibly stole IT missile data, GAO says
The SANS Institute
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.