'Trojan Horse' Planted on 2,000 Computers

SAN FRANCISCO (06/11/2000) - Script kiddies in Maine and Canada have planted a malicious "Trojan Horse" program on about 2,000 computers in the U.S., Canada and Europe, from which they can download information and launch attacks on other computers. The programs are downloaded via the Internet or e-mail attachments disguised as video or other executable files.

The infected computers are primarily PCs that use always-on cable modem and DSL connections, but some corporate computers also have been hit, according to Jerry Harold, president and cofounder of Network Security Technologies. So far, the program is believed to work only on machines running Windows 95 and Windows 98.

"It turns your PC into a server that someone can access if they know how to do it," Harold says. "If one of the hackers were to access your PC, they could download files to the computer, pull files off it and use your machine to attack another machine."

Netsec discovered the "Trojan" on Tuesday when its network software showed a lot of suspicious activity and traced it back to a laptop computer. Then, while monitoring an Internet relay-channel forum, Netsec overheard hackers with the names "Serbian" and "Badman" joking and bragging about their "Trojan" program, testing it and telling others how to use it. The malicious hackers were conducting low-level packet flooding, which blocks IP addresses by inundating them with packets of data.

"They were saying stuff like, 'Dude, I owned 1,500 machines yesterday,'" says Harold. "They were caught red-handed."

After infecting the computers, the Trojan program contacted one of several IRC servers located in Maine and Canada and passed along the victim's Internet protocol address and log-in information so that someone on the server end could connect to the computer and remotely control it. One of the hit servers contained a list of infected computers, included PCs in the U.S., Canada, Austria, the Netherlands, France, Belgium, Greece, Russia and Bulgaria.

The "Trojan Horse" has several defense mechanisms designed to prevent detection by virus scanners. For example, the compression of the malicious part of the code is compressed, so that when the user plays the .avi video file, the executable decompresses and installs itself on the hard drive. When the user reboots the computer, the malicious code loads itself into the system, renames itself with a randomly generated name and makes an outbound connection to one of the IRC servers.

The program is a new version of one that has been around for about two years called "Sub7," according to Chris Rouland, director of Internet Security System's X-Force research unit.

Experts fear that the Trojan Horse would be used to conduct distributed Denial of Service attacks like those that temporarily paralyzed Yahoo (YHOO) , eBay (EBAY) and a handful of other major Web sites in February, costing the companies billions of dollars in lost business.

"The scariest thing about this is that it's just the tip of the iceberg," says Harold. "This is a form of info warfare."

Netsec is working with the FBI to find the perpetrators of the "Trojan Horse."

In the meantime, the company is urging all users, particularly cable modem and DSL users, to install and update antivirus software and PC firewall software.

Unlike dialup connections that generate randomly assigned IP addresses, cable modem and DSL connections use fixed-IP addresses, which make the computers easy targets for such attacks. Corporate networks typically use both fixed and dynamic IP addresses.

Netsec, based in Herndon, Va., offers security services to corporations and some U.S. government agencies, including the Defense Department and the Department of Justice. Harold and Netsec's cofounder Ken Ammon used to work at the National Security Agency before starting the company in April 1998.

One of the affected companies, New Media Designs in Aurora, Colo., discovered the "Trojan Horse" on a laptop that's used by multiple workers.

"It was a laptop that frequently was taken out of the office and connected to a variety of networks and dialup configurations, so it's impossible for us to know specifically where the download happened," says New Media Designs President Greg Kinney. "The key is to never download anything from an untrusted source and never execute any type of file attachments that come in an e-mail from untrusted sources."

Join the newsletter!

Error: Please check your email address.

More about Department of JusticeeBayFBINational Security AgencyNETSECX-ForceYahoo

Show Comments