October 22, 1999 Web posted at: 11:17 a.m. EDT (1517 GMT) by Sean M. Dugan

From...

(IDG) -- In a scenario not unlike a story line from a Tom Clancy novel, the Systems Administration Networking & Security (SANS) Institute is reporting what appears to be a widespread attempt to gather information on proxy servers and send that information to a Russian Web site.

	ALSO
Navy issues warning on Y2K Trojan horse

Members of the SANS Institute became aware of suspicious network activity on Sept. 30. Essentially, they found a pattern of unusual Internet-wide port scanning of proxy servers. A port scan looks for active or open ports and is usually the first step in an intrusion attempt, which is why it got the attention of the network administrators.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
SANS Institute battles cyberterrorism
China, Russia possibly stole IT missile data, GAO says
Microsoft 'support' e-mail a Trojan hoax
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

On Oct. 7, SANS Institute members started to try to piece together what was happening. They found what appears to be a Trojan horse application, dubbed RingZero, which systematically searches out and probes proxy servers from an infected machine and sends that information to a central Web server.

The RingZero Trojan horse, which gets its name from a component called Ring0.vxd first discovered at Vanderbilt University, appears to be divided into two distinct parts, both of which arrive on a system as compressed archives. One component, pst.exe, probes for proxy servers and has the proxy servers send port information and IP numbers to the Web site rusftpsearch.com. The pst.exe component apparently scans ports 80, 8080 and 3128, and other 8000 series ports.

The other component, its.exe, creates an empty its.dat file and entry in the infected machine's hosts file. Upon reboot, its.exe tries to retrieve another its.dat file from one of several Web servers on the Internet. The purpose of the its.dat file is not clear, as it appears to be encrypted.

The SANS institute characterizes RingZero as a systematic attempt to gather information on proxy servers, which are extensively used in a variety of Internet applications, such as network access, commerce, and e-mail. It is unclear at this point what the actual source of the Trojan horse infection is.

Inquiries to the administrative contacts for rusftpsearch.net site were not answered. The registered domain holder, Black Harmer, lists an address in Germany, and a Russian free e-mail account address.

The SANS Institute's investigation is still underway, and it is recommending that network administrators take note of unusual port activity on ports 8080 and 3128. It also recommends that administrators who notice unusual activity should check their servers' logs for unusual connections and their directories for odd or unfamiliar cgi scripts.

Sean M. Dugan is the senior research editor in InfoWorld's Test Center.