Backdoor Trojan

[Guest Reimar]

Hi all interested!

after I'm back to live, which means back to Thailand, I've need some time to get everything back in place and to work.

But Now: I/m back!!

And facing a new problem! Not with my or my company system, with the system of a customer, here: Backdoor Trojan infection!

Ok, thats a normal "game" on today's system and nothing new!

What else? New, or may be not new: the Backdoor Trojan came from where!

I found out that this Trojan is submitted from an ISP with thems original software and must be sprayd widly over Thailand!

By contacting this ISP and informing them, the first action/speech was: "The infected file is need for our software to run propperly and is programmed inhouse by ourself!". I react and told them:"If this is a truth, my visit here is useless and for nothing and I'll go Thailand News Papers and report this situation.

The concerned party do NOT like that and in a 4 hour meeting, while I've to explain them several times the same things, they finally agreed that they have to do something and contacted the AV-Manufacturer for a solution! They also want to inform me about the stage of that situation!

The above mentioned was happens on December 25. 2006 and until the January 3. 2007 I haven't get any info from them. On January 3. 3007 I've a meeting with an member of the direcory of tht company and I told him about that Trojan about my time investment, by my customer and by hims company, and what hims company should do from the view of a customer and affected party! I also told him that I exspect some benefit for my information, research and time investment, a benefit for me but free of cost for hims company! The answer was to think about it!!

On january 4. I received a call and getting to know that the ISP has released a new version of the software which they want to send to me for testing. After I asked the calling party what's about my benefit, they don't want to send me the new release anymore and no answer about the benefit for free talk about sales only!!

Now the question to all of you:What you mean I should do, or what you want to do on my place?

My first intention was to give the ISP the possibility to solve the problems on a smooth way by themself!

I do believe on the other hand, that the customers and the users of the system of this ISP has the right to get informed about the danger of the already delivered software and an explanation how to solve that problems. In case the the customer is a corporate institution, they have much more rights.

It will be very intest for me to see the answers of you all.

Before I'll publish the complete facts include the name of the ISP and persons involved, I'll try one more meeting with them.

Reimar

[friend2]

Sometimes, antivirus software misstakenly identify programs to be virus/trojans.

What was the isp's intention with this proggie, and what does it do ?

I doubt they'd knowingly release malicious software to their customers, why would

they do that ?

They already told you what it was for

"The infected file is need for our software to run propperly and is programmed inhouse by ourself!"

The only reason I can see, why they would wanna contact an antivirus manufacturer about it, is to get the program of their target list.

I don't see why you bringing it to their attention, should reward you any benefit ?

I'm even surprised you managed to arrange a 4 hour meeting over this issue.

Gees, I wish I was there

Edited January 7, 2007 by friend2

[silvero]

Have you found that the program has backdoor functionality or is it simply flagged as infected by your antivirus? If the latter then as friend2 says it is likely to be a false positive and the company will want to contact the AV company to let them know.

Why not upload it to this site:

http://virusscan.jotti.org/

It will scan the file with a whole bunch of different AVs and see what the results are.

[Guest Reimar]

Sometimes, antivirus software misstakenly identify programs to be virus/trojans.

What was the isp's intention with this proggie, and what does it do ?

I doubt they'd knowingly release malicious software to their customers, why would

they do that ?

They already told you what it was for

"The infected file is need for our software to run propperly and is programmed inhouse by ourself!"

The only reason I can see, why they would wanna contact an antivirus manufacturer about it, is to get the program of their target list.

I don't see why you bringing it to their attention, should reward you any benefit ?

I'm even surprised you managed to arrange a 4 hour meeting over this issue.

Gees, I wish I was there

Hi friend 2,

first: the Trojan is one from the Beastdoor family which is classified as DANGER because it opens Server ports by bypassing all protections.

I had filter out that program from a setup file, it's a EXE file 9 kByte, re-compile the setup file and checked to find: everthing works ine without that part. So, they do NOT need that small program to run their software!

If they need that program, than for to get access to other computers which is the purpose of this trojan. And why they may be need access to other computers?? And here: this trojan special enable someone to change server settings!!

Just in the moment I try to disassebmling the Trojan file. 99.9% of all programmers leave a sign in their source code and may I can find this sign?!

My question about a benefit was because of their reaction to get the information from me. Normally, a company, which (need to) work on a very high level of security, speciality in a corporate section (where server's running at normal!) should be more than happy to get that kind of information, except that company don't want that somebody know what their system contains! Or I am wrong?

Reimar

[yeti]

Publish everything, if you find a channel to do this.

[OlRedEyes]

I agree. Publish it. I have a notion I know which ISP this is.

[Guest Reimar]

As I wrote in my opening post, I'll publish all facts include names at that moment if that ISP do NOT follow the guideline I gave them! Thats include the "small, costless benefit" I asked for after they shown the very well known Mai Pen Arai!

It should be very well known on this forum that I publish proofable facts only, include real names which applies for my own name as well! I don't can and need to hide myself at all pecial if I post something against someone by using real existing names.

[yeti]

If it's not a problem with your customer then do it. I'd say the most difficult will be to find the good channel for this, as I don't think main stream medias will be interested.

[cdnvic]

In the meantime, if you are running a router they can try opening all the ;ports they want, but it isn't going to do them anygood as the firewall will block it.

[silvero]

It should be very well known on this forum that I publish proofable facts only

So how will you prove that this program is a backdoor?

[Clipped]

post it on the thai forums, they will eat this up...

[friend2]

It would be nice to know exactly what the purpose of this program is ?

If the isp created this by themself, i'm sure they could give you an answer, if you asked them.

Without knowing this, it would be very difficult to proof malicious intent.

Maybe it's used for updating purposes ?

I have to say though, Thais programmers aren't the best in the world either...

Edited January 8, 2007 by friend2

[Guest Reimar]

It would be nice to know exactly what the purpose of this program is ?

If the isp created this by themself, i'm sure they could give you an answer, if you asked them.

Without knowing this, it would be very difficult to proof malicious intent.

Maybe it's used for updating purposes ?

I have to say though, Thais programmers aren't the best in the world either...

The exactly purpose of this Trojan is to bypass all security settings of the infected computer and open the "backdoor" for connection from "outside". Specialty Server's are on high danger if get infected. According to the info I got from a AV-Developer from Europe, this Trojan is special programmed to bypass all security settings include firewalls and this special on servers running MS-Windows Server OS but is potential danger to all infected computer.

If and only if the ISP or an employee of this ISP has developed this Trojan for themself they could give me answer but they wouldn't! Because this is highly criminal!

As I suggested to the ISP, one of first priority has to be to find out where that Trojan came from, if NOT programmed from themself! According to the info I got just this morning from insider of this ISP, they haven't done anything to find out the source!

In the first meeting with ISP, the programmer was telling that this small program is need to get the Main program up and running which connect the running computer to the gateway server of that ISP.

I tested this program on an virgin server, installed for this purpose only, and find out that this server is connected to the internet the whole time and mainly sending out data without stopping. The amout of received packets was just about between 5 - 10% of the sending amount! To tracetroute where this packets going was ending up at that ISP as I'm able to check!

According to an call from that ISP, they programmed a "new" version of them software but finally they refused to send this version to me for testing! The question for me is now: Why they don't want me to check?? Anything "new" to hide??

[cdnvic]

If you run a router, and have a decent password there is no way this can disable your firewall.

[Guest Reimar]

If you run a router, and have a decent password there is no way this can disable your firewall.

If you running a "web server", which means a server connected to the internet for public connection, you need to open the required port(s) on your router, otherwise your server isn't reachable.

May be later this day I'll check the Log Files of that server to foind out which files was sendet out, as little as complete more than 30 Mio packetswhile receiving just 2.7 Mio!! But I've to send the most of my time every day for to work. So it may takes a little bit more time for me to do the complete research!

Mainly I've to check the systems from my customers, all of them who using this ISP and them software and this is very time consuming but very importand for my business!

[cdnvic]

If you run a router, and have a decent password there is no way this can disable your firewall.

If you running a "web server", which means a server connected to the internet for public connection, you need to open the required port(s) on your router, otherwise your server isn't reachable.

Fine, open port 80. Still doesn't let them backdoor you with the firewall up and file permissions set up properly.

[Khleerm]

first: the Trojan is one from the Beastdoor family which is classified as DANGER because it opens Server ports by bypassing all protections.

I had filter out that program from a setup file, it's a EXE file 9 kByte, re-compile the setup file and checked to find: everthing works ine without that part. So, they do NOT need that small program to run their software!

Just in the moment I try to disassebmling the Trojan file. 99.9% of all programmers leave a sign in their source code and may I can find this sign?!

Could you please explain how you were able to do the forensics? What software tools or sites did you use? And how do you monitor ports on Windows machines?

I'm very interested to learn the process of diagnosis and detection of malware.

[Guest Reimar]

If you run a router, and have a decent password there is no way this can disable your firewall.

If you running a "web server", which means a server connected to the internet for public connection, you need to open the required port(s) on your router, otherwise your server isn't reachable.

Fine, open port 80. Still doesn't let them backdoor you with the firewall up and file permissions set up properly.

OK, let me tell you some:

First at all: We running a company for services for WAN and LAN include Security;

2. as soon as we know about new problems (like this one) we'll working out what to do;

3. after we finding out the source and how to solve the problem, we'll service our customers and inform all concerned parties, incl. as on this case the ISP;

4. in case the amount of concerned parties is just a few, we try to solve everthing on a quiet base;

5. in case the amount of concerned parties is a lot, we try to first to settle everthing smooth and only if this isn't possible, we start to go public, first without to publish all facts and names, and finally if that do not work, with all info iclude names.

Our intention to start to publish the info here at Thaivisa.com, is to inform the public to be carefull even with software getting from ISP's and to inform them about the danger.

As I wrote in post before, I try to be fair to all sides, include the side of the ISP and give them time to settle what they need to do.

Our system is clean and secure otherwise I wouldn't be able to find that Trojan! But who from the majority of the "normal" computer and internet user has the knowledge to 1. found the bug and 2. to get them out and the system clean?

Now, one question: what the ISP has to do after getting to know about that Trojan and about the danger of this trojan, which was finally proofed from themself?

[cdnvic]

I wonder if the current political climate would lead to anyone wanting to spy on computers in the country?

[MikeWill]

Sorry, cdnvic, what point you're trying to make in above posts?

Is that the lack of credibility on the Reimar's part?

[cdnvic]

Sorry, cdnvic, what point you're trying to make in above posts?

Is that the lack of credibility on the Reimar's part?

The point is that installed software cannot disable a hardware firewall. Anyone with a properly set up router need not panic.

[Simmo]

And how do you monitor ports on Windows machines?

netstat -oan

Edited January 8, 2007 by Simmo

[silvero]

The point is that installed software cannot disable a hardware firewall. Anyone with a properly set up router need not panic.

That is incorrect and dangerous advice. A malicious program can initiate a connection straight through your router/firewall and connect to the attackers computer, this connection can be used for anything, including remote shell access.

The NAT router will protect you from incoming unsolicited connections only, you need application-level control on the computer in question to protect against outgoing connections.

[dobbelinas]

This sounds intriguing, I would very much like to know what software is affected, and what isp is doing it.

[cdnvic]

The point is that installed software cannot disable a hardware firewall. Anyone with a properly set up router need not panic.

That is incorrect and dangerous advice. A malicious program can initiate a connection straight through your router/firewall and connect to the attackers computer, this connection can be used for anything, including remote shell access.

The NAT router will protect you from incoming unsolicited connections only, you need application-level control on the computer in question to protect against outgoing connections.

He is claiming that it can disable the firewall and open ports. No software can disable a secured router.

[Guest Reimar]

This sounds intriguing, I would very much like to know what software is affected, and what isp is doing it.

As I wrote balready before: I try to be fair to anyone and so I let rhe ISP take the time to make the decission how he want to handle the problem.

In case I don't get a on real facts based reply within the next few days, I'll pulish the complete info without any limitations.

First at all I want that everybody realize that the danger is right before the door and that we need to be very carefull.

Anyway, I've an open ear for any critisim as long as the critisim is base on poofable facts and not just to be opposit.

But I'll not publish how we work and which software we using to secure the systems of our customers and our own system. Any question in this direction we will NOT answer.

Edited January 8, 2007 by Reimar

[silvero]

No need to disable it, and no need for open ports as the connection is *initiated* from the infected machine.

Outbound connections are not hindered by normal NAT router/firewalls. How else could your machine access the internet? Even corporate firewalls need to allow access outbound to port 80. This isn't a new technique, it just goes to show once you have malware on your system it is potentially hosed.

For those interested, some info here on reverse shells: http://www.plenz.com/reverseshell

Edited January 8, 2007 by silvero

[dobbelinas]

As I wrote balready before: I try to be fair to anyone and so I let rhe ISP take the time to make the decission how he want to handle the problem.

In case I don't get a on real facts based reply within the next few days, I'll pulish the complete info without any limitations.

First at all I want that everybody realize that the danger is right before the door and that we need to be very carefull.

Anyway, I've an open ear for any critisim as long as the critisim is base on poofable facts and not just to be opposit.

But I'll not publish how we work and which software we using to secure the systems of our customers and our own system. Any question in this direction we will NOT answer.

You would do a good service for all the customers who has installed this software,

to let it be known.

Even if the new software released from the isp is "trojanfree", it does not

guarantee that this trojan would be removed by upgrading.

Many people never upgrade their software to.

If you just gave us it's location and name, we still wouldn't know who's responsible

for it.

I think it would be good to tell.

[cdnvic]

No need to disable it, and no need for open ports as the connection is *initiated* from the infected machine.

Outbound connections are not hindered by normal NAT router/firewalls. How else could your machine access the internet? Even corporate firewalls need to allow access outbound to port 80. This isn't a new technique, it just goes to show once you have malware on your system it is potentially hosed.

You have a point on the outbound traffic, as that would be like any program dialing home for updates. What it can't do is take down your firewall or open up a true backdoor that an outside user can access. The exception is the routers that still have their default password set on (far too many).

Edited January 8, 2007 by cdnvic

[silvero]

Sorry cdnvic but you need to read up on the matter, malware (and legitimate programs also!) *can* set up a remote shell from behind a NAT router that an outside user can access. The link I provided above shows *exactly* how to do it. If that isn't enough information for you, look for further information on "reverse shell" or "shoveling a shell".

I don't want to go on about it but anyone reading this shouldn't be lulled into a false sense of security by using a router, routers give excellent protection against unsolicited inbound connections, but not against outbound connections.