RE: DeepThroat Trojan

Thu, 23 Mar 2000 14:47:14 -0800 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------


The rid-1.7 beta seems pretty successful at detecting TCP trojans.  For
example, I used the config file:
start subseven
        send tcp dport=27374 data="\r\n\n"
        recv tcp data="PWD" nmatch=1
end subseven

and found 3 on campus.  Here's another example:
start netbus
        send tcp dport=12345 data="\r\n\n"
        recv tcp data="NetBus" nmatch=1
end netbus

FYI!  RId's available at http://theorygroup.com/Software/RID


cheers,
david

On Thu, 16 Mar 2000, Boxmeyer, Jim, SOCOO wrote:

> 
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
> ----------------------------------------------------------------------------
> 
> Hi,
>  
> You would need to be sure to close the ports that DeepThroat runs on at your
> Firewall and scan your computers for the Trojan. I maintain a list of
> Trojans and the ports they run on at http://www.onctek.com/trojanports.html
> <http://www.onctek.com/trojanports.html>  it is pretty up-to date as we are
> tracking more than 300 trojans and ports. For more information regarding
> Deep Throat you can visit the site run by the developer at
> http://www.sohons.com/deept/index2.html
> <http://www.sohons.com/deept/index2.html>  . Mind you I wouldn't download
> and run anything from this site. As  a trojan developer probably cannot be
> trusted.
>  
> Jim Boxmeyer
> Senior Security Engineer
> ONCTek LLC
> http://www.onctek.com <http://www.onctek.com> 
> 
> -----Original Message-----
> From: Syed Amiruddin [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 13, 2000 8:46 AM
> To: [EMAIL PROTECTED]
> Subject: DeepThroat Trojan
> 
> 
> Hi,
>  
> Can anyone tell me what is "DeepThroat Trojan" and how I can protect my net
> from it.
>  
> Regards,
> Amiruddin
> 
> 
> 
> 

-- 
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - [EMAIL PROTECTED]
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger [EMAIL PROTECTED]
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."

Reply via email to