Dynamic Trojan Horse Network Hybrid Threat Propagation 
Author Message
 Dynamic Trojan Horse Network Hybrid Threat Propagation

ISS has posted the following, stating that this threat is spreading.  At
this time , I have been unable to corroborate this against a second source
(i.e. Symantec, Sophos, NAI, Sybari....).

Is anyone familiar with this?

Thanks,

Bill

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Brief

December 26, 2002

Dynamic Trojan Horse Network Hybrid Threat Propagation

Synopsis:

ISS X-Force has been monitoring the spread of the Dynamic Trojan Horse
Network (DTHN) Internet worm. DTHN propagates through email and through open
NetBIOS file shares. DTHN installs itself and establishes communication to a
sophisticated peer-to-peer communications network, to further spread
infections and launch additional attacks.

Impact:

As with most network worms, DTHN propagation can cause network congestion,
automatically compromise victim systems, and configure a sophisticated
network that can be used for Distributed Denial of Service (DDOS). Once the
backdoor is installed, it can be accessed by the author, or third party
attackers.

For the complete ISS X-Force Security Alert, please visit:

http://www.*-*-*.com/

______

About Internet Security Systems (ISS) Founded in 1994, Internet Security

Systems (ISS) (NASDAQ: ISSX) is a pioneer and world leader in software

and services that protect critical online resources from an ever-

changing spectrum of threats and misuse. Internet Security Systems is

headquartered in Atlanta, GA, with additional operations throughout the

Americas, Asia, Australia, Europe and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved

worldwide.

Permission is hereby granted for the electronic redistribution of this

document. It is not to be edited or altered in any way without the

express written consent of the Internet Security Systems X-Force. If you

wish to reprint the whole or any part of this document in any other


permission.

Disclaimer: The information within this paper may change without notice.

Use of this information constitutes acceptance for use in an AS IS

condition. There are NO warranties, implied or otherwise, with regard to

this information or its use. Any use of this information is at the

user's risk. In no event shall the author/distributor (Internet Security

Systems X-Force) be held liable for any damages whatsoever arising out

of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key

server, as well as at < http://www.*-*-*.com/ ;

Please send suggestions, updates, and comments to: X-Force


-----BEGIN PGP SIGNATURE-----

Version: 2.6.2

iQCVAwUBPgtmkDRfJiV99eG9AQHvOwP/ZOvjpUQSJdXp203gvE2+rj085a5r027X

ZawzBMxb+sqtxz0aW1Kx3b9mSyiop/gmERDPNoVqHf+YOyytSNxhBHAboA8pTbig

h1rG2ODEXxDUueQ44W/iiu6BhlmSPVWU/jDXdtFphwExcTp4onj85A3VNdMbXa0R

rkcVS+h2/QI=

=JyQh

-----END PGP SIGNATURE-----



Wed, 15 Jun 2005 03:20:48 GMT  
 Dynamic Trojan Horse Network Hybrid Threat Propagation


Quote:
> ISS has posted the following, stating that this threat is spreading.  At
> this time , I have been unable to corroborate this against a second source
> (i.e. Symantec, Sophos, NAI, Sybari....).

> Is anyone familiar with this?

Not much info out there yet, but I did search www.google.com and the ISS
user forum [like you already did, right?] and found this:

www.dthn.net

There is quite a bit of detail about what the trojan does at this page.

The excuse the web page author gives seems pretty weak.  He claims he is not
the author of the trojan.  Yeah, right.

PS the advice ISS gave in their advisory is IMHO pretty terrible:
"RealSecure Network Sensor 6.5 customers should monitor the
Netbios_Session_Request, and Netbios_Session_Granted events to detect
NetBIOS scanning activity associated with DTHN."

As an ISS user, these particular events occur all the time anywhere there is
NetBIOS / Windows networking.  It is impossible and impractical to tell
which of these events is legitimate or not.  I have to suspect that most ISS
customers have these events disabled or filtered out where it counts.

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002



Wed, 15 Jun 2005 04:12:57 GMT  
 Dynamic Trojan Horse Network Hybrid Threat Propagation
PS I probably shouldn't be saying this... the link to download the trojan
program from this web page has been "disabled," but not very well.


Quote:
> ISS has posted the following, stating that this threat is spreading.  At
> this time , I have been unable to corroborate this against a second source
> (i.e. Symantec, Sophos, NAI, Sybari....).

> Is anyone familiar with this?

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002


Wed, 15 Jun 2005 04:17:12 GMT  
 Dynamic Trojan Horse Network Hybrid Threat Propagation
This was an awfully weak alert put out by ISS.  At this time it it looks
like they are trying to sell product.

They may lose credability with me when this is all said and done,  we'll
have to see how this plays out.

Thank you.



Wed, 15 Jun 2005 05:05:45 GMT  
 Dynamic Trojan Horse Network Hybrid Threat Propagation


Quote:
> This was an awfully weak alert put out by ISS.  At this time it it looks
> like they are trying to sell product.

> They may lose credability with me when this is all said and done,  we'll
> have to see how this plays out.

Well, the ISS XForce knowledgebase of such alerts is pretty useless and
frequently incorrect, if you ask me and most of my coworkers.  I'm not so
sure their IDS product is the best, either, for a wide array of reasons.

On the other hand, they appear to have been first with this alert.  This
trojan or others like it could be a worldwide disaster, depending on how
fast it spreads.  Historically most trojans die out quickly or only find
limited use due to the fact that they typically do not spread and must be
installed; but this one appears to be trying to spread like an email worm
[in fact IMHO it's probably more accurate to call it a worm].

In the past 45 days there was another controversy on the NTBUGTRAQ / BUGTRAQ
list involving ISS making a serious DNS vulnerability public too quickly
and/or only providing the fix to their customers, so that only their
customers would be able to block it until the vendors had time to release
patches.

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.423 / Virus Database: 238 - Release Date: 11/25/2002



Wed, 15 Jun 2005 06:44:20 GMT  
 Dynamic Trojan Horse Network Hybrid Threat Propagation

Quote:

> ISS has posted the following, stating that this threat is spreading.  At
> this time , I have been unable to corroborate this against a second source
> (i.e. Symantec, Sophos, NAI, Sybari....).

> Is anyone familiar with this?

This is what NAI/McAfee calls as BackDoor-ANF, what Symantec/NAV calls
as Backdoor.NetTrojan (what a stupid name...), and what several other
major AVs will no doubt call several other different names in their
first major post-Christmas DEF/DAT/etc updates.

--
Nick FitzGerald



Wed, 15 Jun 2005 12:33:04 GMT  
 
 [ 6 post ] 

 Relevant Pages 

1. TROJAN HORSE WARNING!

2. Beware Trojan horse in tin newsreader

3. Trojan horse??

4. Trojan Horse Dialer

5. Trojan Horse Virus, Help needed

6. Problem with Netspy Trojan Horse

7. Trojan Horse in Windows System

8. Trojan Horse Dialer

9. Trojan Horse MusicSearch

10. trojan horse

11. TROJAN HORSE KEYLOGGER.HOTKEYSHOOK

12. Trojan horse IRXC/backdoor

 

 
Powered by phpBB® Forum Software