Pardon the reprint but I felt this needed an immediate post:
<snip>
12 Nov 2002
*Computer hackers mass-mailing trojans*
MessageLabs is currently intercepting hackers who are mass-mailing trojans
to unsuspecting users. The spread of this new threat suggests that infected
machines could potentially be used in some kind of large-scale coordinated
Internet hacking activity
The details of the trojan are as follows:
Trojan name: Maz
Aliases: W32/Maz.A, Downloader-BO
Number of copies seen so far: 280
Time & Date first Captured: 10 Nov 2002, 14:58 GMT
Origin of first intercepted copy: UK
Number of countries seen active: 32
Top five most active countries:
United States 60.7%
Canada 9.3%
Korea (South) 5.0%
Great Britain 3.2%
Mexico 2.1%
*Technical Details*
The Maz trojan connects to a URL, which has since been closed down, to
register the location of the machine which has been compromised. It then
proceeds to download a further component. Currently, this additional
component is a backdoor Trojan (Backdoor-AML), but this may readily change
if the website is updated or changed.
Amongst other things, Backdoor-AML allows the remote hacker to use the
compromised machine as an SMTP relay using TCP port 4668, from which further
attacks may be launched.
By analysing the pattern of IP addresses from which MessageLabs have
intercepted this Trojan to date, it is likely that the hacker is
compromising PCs and then using these machines to send more copies of the
Trojan. It is possible that the hacker may also be using open-relay mail
servers.
It appears that the hacker, or group of hackers, is trying to amass a
virtual army of trojans to perform some kind of coordinated hacking activity
in the future.
*Behaviour*
In the copies of e-mails that we have stopped, the mail created seems to
have been generated from a poorly configured Ratware mailer. It seems as
though the replaceable parameters have not been replaced. For example:
Subject: mail (space) (space)
Text:
(space) Hello! (space) check (space) out (space) (space),
the best (space) FREE (space) site!
(space)
Message ID: (variable number) (space) MessageNumber: (variable number)
(space)
Attachment: masteraz.exe
The e-mail utilises the well-documented Microsoft MS01-020 vulnerability to
automatically execute the attachment on un-patched systems.
In copies that we have intercepted, it appears to have a website download
component, and contains several encoded URLs XORed with 0x4D, for example:
(link to website removed)/country/get.pl
(link to website removed)/counter.c
NB: counter.c is actually a backdoor program, which it downloads.
*Comment*
SkepticT detected this trojan heuristically. No MessageLabs customers were
affected.
</snip>
~Rick
___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
