Computer hackers mass-mailing trojans

[Guest guest]

12 Nov 2002

 

 

Computer hackers mass-mailing trojans

 

 

MessageLabs is currently intercepting hackers who are mass-mailing

trojans to unsuspecting users. The spread of this new threat suggests

that infected machines could potentially be used in some kind of

large-scale coordinated Internet hacking activity

 

The details of the trojan are as follows:

 

 

 

* Trojan name: Maz

* Aliases: W32/Maz.A, Downloader-BO

* Number of copies seen so far: 615

* Time & Date first Captured: 10 Nov 2002, 14:58 GMT

* Origin of first intercepted copy: UK

* Number of countries seen active: 32

* Top five most active countries:

 

United States 60.7%

Canada 9.3%

Korea (South) 5.0%

Great Britain 3.2%

Mexico 2.1%

 

 

Technical Details

 

The Maz trojan connects to a URL, which has since been closed down, to

register the location of the machine which has been compromised. It

then proceeds to download a further component. Currently, this

additional component is a backdoor Trojan (Backdoor-AML), but this may

readily change if the website is updated or changed.

 

Amongst other things, Backdoor-AML allows the remote hacker to use the

compromised machine as an SMTP relay using TCP port 4668, from which

further attacks may be launched.

 

By analysing the pattern of IP addresses from which MessageLabs have

intercepted this Trojan to date, it is likely that the hacker is

compromising PCs and then using these machines to send more copies of

the Trojan. It is possible that the hacker may also be using open-relay

mail servers.

 

It appears that the hacker, or group of hackers, is trying to amass a

virtual army of trojans to perform some kind of coordinated hacking

activity in the future.

 

 

Behaviour

 

In the copies of e-mails that we have stopped, the mail created seems to

have been generated from a poorly configured Ratware mailer. It seems

as though the replaceable parameters have not been replaced. For example:

 

mail %Space% %Space%

 

Text:

 

%Space% Hello! %Space% check %Space% out %Space% %Space%, the best

%Space% FREE %Space% site!

 

%Space%

 

Message ID: (variable number) %Space% MessageNumber: (variable number) %Space%

 

Attachment: masteraz.exe

 

 

 

The e-mail utilises the well-documented Microsoft MS01-020 vulnerability

to automatically execute the attachment on un-patched systems.

 

In copies that we have intercepted, it appears to have a website

download component, and contains several encoded URLs XORed with 0x4D,

for example:

 

* (link to website removed)/country/get.pl

* (link to website removed)/counter.c

 

NB: counter.c is actually a backdoor program, which it downloads.

 

 

 

 

 

Additional Information (Variant: Maz.B)

 

A new recompiled variant of Maz (Maz.B) is now being intercepted by

MessageLabs. The file still downloads almost the same backdoor, but

since the old website has now been closed down, a new website is being

used. An example of the mail follows:

 

Improve your Credit! %Space% %Space%

 

Text:

 

Hello! %Space% check %Space% out %Space% this %Space% site,

 

%Space% it is %Space% a %Space% great site!

 

%Space%

 

%Space%

 

Attachment: jimkre.exe (size: 4096 bytes - UPX compressed)

 

 

 

 

 

Comment

 

Skeptic^ detected this trojan heuristically. No MessageLabs

customers were affected.

 

 

 

For more information contact:

 

Helen Desmond (helen <helen)

 

T : 020 7612 1830

M : 07984 813831

 

Tim Hollingsworth (tim <tim)

 

T : 020 7612 1830

M : 07802 574647

 

http://www.messagelabs.com/viewNewsPR.asp?id=109 & cmd=PR