BUENOS AIRES, ARGENTINA (06/14/2000) - Security experts this week were divided on the threat posed by a new Trojan virus after its identification late last week.
Bernardo Quintero, a virus expert with Spanish computer security organization Hispasec.com, contends that the malicious program which supposedly hides itself in computer movie files is no such thing, but an "elementary Trojan virus serving the marketing purposes of a few security firms and government departments."
Last Friday, FBI sources confirmed that a sophisticated Trojan virus had been released, with the ability to conceal itself in AVI (computer movie) files. The virus was reported as being capable of releasing massive DDoS (distributed denial of service) attacks from thousands of computers permanently connected to the Internet. [See " Hackers Attack DSL and Cable Modem Users," June 9.]The news of the virus was released by Network Security Technologies (Netsec) who had reportedly alerted the FBI. According to a Netsec report, the Trojan virus was probably hosted on more than 2,000 computers and was primed to launch an attack. The virus was named "Serbian Badman Trojan" after the Internet nicknames of its creators.
However, according to Hispasec's Quintero, the virus threat has been greatly exaggerated. "It is a simple Trojan distributed as an .EXE executable, (and is) completely unsophisticated," Quintero said in a written statement.
The virus disguises itself as a movie file, just by changing its icon, and adding a false intermediate .MPG extension, Quintero. The virus has no filename of its own, and its filename is changed every time it is sent. The virus therefore appears on a victim's computer as any-filename.mpg.exe.
Hispasec's security expert says that the very elementary Trojan virus is not capable of self-replication and self-mailing and so it cannot spread the infection by itself. The virus was distributed sending the file, under different filenames, to several pornographic newsgroups in the hope that users would be induced to download the supposedly adult content video.
Quintero said that the malicious program was written using an elementary Trojan creation kit, and its only purpose, once installed, is contacting a Web address. Once it has made contact, the virus tries to download and install "SubSeven21", a well-known backdoor program, that most antivirus programs can detect. This backdoor allows hackers to remotely control the compromised computer.
The backdoor program is no longer available at its previous address, so infection is impossible through the Trojan virus, according to Quintero.
Antivirus software vendor Symantec Corp. also issued the same finding Wednesday on its Web site. "The intended program file is no longer available on the Internet, thus it currently poses no threat to users," Symantec said in its Web posting.
The SubSeven Twist
However, U.S. computer security company iDefense Wednesday supported Netsec's findings, but only in relation to the SubSeven Trojan virus. SubSeven is the malicious code that the Serbian Badman Trojan tries to download and install.
Version 2.1 of SubSeven, and probably other releases, can use the IRC (Internet relay chat) channels (IRC) to launch "ping flood" DOS attacks using IRC commands from infected servers, iDefense said in a statement.
This capability allows a malicious attacker to launch a DDoS attack using all the compromised machines logged onto the appropriate IRC channel at any given time, iDefense said.
This IRC command capacity is significant because corporate firewalls that are not configured to block IRC outbound traffic will not stop the commands, and they will also flow freely from small businesses and homes furnished with permanent DSL (digital subscriber line) and cable modem connections, the iDefense statement said.
Using this feature, attackers can command every compromised computer to send out thousands of large ping packets to a particular IP (Internet Protocol) address at the same time. The iDefense statement made it clear that "this is not the same master and zombie/slave relationship that has come to be identified with DDoS tools such as Trinoo and Stacheldraht, but SubSeven is capable of launching a denial of service attack distributed across potentially thousands of machines," without their owners noticing it.
IDefense urges users to take appropriate measures against this Trojan virus.
Firewalls should be set up to block all unsolicited inbound services. Users are also encouraged to apply this precaution to outgoing traffic and to block and log traffic on known Trojan ports (e.g., 2221, 2222, 6669 and 7000).
Both iDefense and Hispasec agreed that updated antivirus programs can detect all uncompressed versions of the SubSeven Trojan. They both recommend keeping the antivirus programs updated.
HispaSec, can be reached at http://www.hispasec.com/. Symantec, based in Cupertino, California, can be reached at +1-408-253-9600, or on the Web at http://www.symantec.com/. iDefense, based in Alexandria, Virginia, is at http://idefense.com/.