История развития скандала вокруг фальсификации ISoaQ v0.72
02-May-2000 Letodatus выпустил новую версию своей (очень популярной) программы ISoaQ v0.72 Она поставляется в виде SFX-архива, содержащего файлы : isoaq.exe - 354304 isoaq.txt - 18982 packinfo.txt - 114Файл packinfo.txt имеет вид : ===== Cut ===== [ISoaQ] HiVer=0 LoVer=72 Build=0000 Version=0.72 'This one is important PackVer=45 PackDate=2000/05/02 ===== Cut =====
Программа выложена на официальную страничку http://isoaq.da.ru
07-May-2000 Сегодня, а возможно и ранее, неизвестный злоумышленник фальсифицирует релиз ISoaQ v0.72. Файл isoaq.exe троянизирован приватной неупакованной версией PSW-троянца GIP v1.10. Программа перепакована в ZIP архив и размещается на турецком сервере turk.net. Турецкий хостинг выбран видимо потому, что до него сложно добраться федеральным службам.
Об этом становится известно Letodatus'у и он развивает бурную деятельность по выявлению и наказанию злоумышленника. Выяснилось, что изначально троян хостился на fwlabs.com, но там он просуществовал не более 12 часов.
Файл packinfo.txt имеет вид : ===== Cut ===== [ISoaQ] HiVer=0 LoVer=72 Build=0002 Version=0.72 'This one is important PackVer=47 PackDate=2000/05/06 ===== Cut =====
10-May-2000 Сегодня в 14.44 был заменен троянизированный файл на сервере turk.net. Теперь архив содержит файлы : isoaq.exe - 4000303 10.05.2000 isoaq.txt - 19026 07.05.2000 packinfo.txt - 114 06.05.2000
Вот что говорит программа Anti-Joiner v2.1 об этом троянизированном файле : ===== Cut ===== **** Anti-Joiner Cleaner/Extractor v2.1 (c) by Duke/SMF *** [email protected] **** **** Extract 23 glues *** Clean 41 trojans *** Detect 3 glues *** Total: 67 **** ¦ Detection : trojan Gip v?.?? detected ! ¦ Extracted : TROJAN.ICO - file icon ¦ Extracted : TROJAN.EXE - glue ¦ Extracted : ISOAQ.EXE - host file ¦ More info : v Mail subj : GIP - Passwords v Mail : [email protected] v Program : isoaq.exe v File name : wintpi32.exe v Server : smtp.mail.com v Mail from : Michael v Home page : www.gip.f2s.com/gip ===== Cut ===== На этот раз файл isoaq.exe троянизирован новой упакованной версией PSW-троянца GIP (version 1.11, build 1089). Троянец упакован ASPack v1.0.8.3, размер файла после распаковки - 86016. В распакованном файле видны очень интересные строчки (смещение - текст) : $10258 [GIP DATA] Version: %s ID: %s PIN: %d Carrier: %s GipSvr: %s 1.11 1234 $102ac Frame root@mailcccom mailcc.com [email protected] mail.visualcities.com [email protected] mail1.nettaxi.com 209.176.88.31 $1039c Pinremove Software\BNL\ISoaQ LastVersionLaunched ISoaQ 0.72 GIP ver: %d build: %d Это говорит о том, что это GIP 1.11, специальная версия "заточенная" под ISoaQ. При запуске пораженного файла, троянец излечивает жертву; размер излеченной жертвы равен 354816 байт. Троянец создает файл C:\WINDOWS\SYSTEM\wintpi32.exe и прописывается в реестр : [HKEY_USERS\.Default\Software\Microsoft\Windows] "Pin"="212754" "File1"="C:\\WINDOWS\\SYSTEM\\wintpi32.exe" "File2"="C:\\Work\\isoaq.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Config"="C:\\WINDOWS\\SYSTEM\\wintpi32.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Sevice"="C:\\WINDOWS\\SYSTEM\\wintpi32.exe" 12-May-2000 Время делать выводы. После общения с Letodatus'ом я считаю, что хакер-троянизатор из России, поскольку и ISoaQ, и GIP хостятся на русскоязычных серверах, да и адрес на mail.ru говорит сам за себя. Детектирование первой версии троянца добавлено в базы Panda Antivirus, в сегодняшнем апдейте AVP появилась запись Trojan.PSW.Gip.110.b. В скором времени ожидается детектирование Trojan.PSW.Gip.111.b.
На сайте Letodaus'a по адресу http://www.ipc.ru/~borka/interpol.txt находится полное изложение событий, сделанное Letodaus'ом. Полный текст приводится ниже :
The story. 2000.09.09 After having been informed of new trojan, I wote two emails to internet services that had something to do with the matter: Return-Path:Date: Wed, 10 May 2000 00:18:42 +0400 From: "Letodatus (AKA BorisNicolaich AKA Ex-GARANT)" Reply-To: Letodatus To: [email protected], [email protected] Subject: a fast spreading trojan Hello abuse, Your redirect, isoaq.xrs.net points to a trojan heavily advertised using spam methods over ICQ network. Removing it would stop a probable epidemy. The hosting ISP, as well as Internet security enforcement bodies have been informed about the matter. Thank you for your attention to this case. Best regards, panimashli, Letodatus Date: Wed, 10 May 2000 00:13:58 +0400 From: "Letodatus (AKA BorisNicolaich AKA Ex-GARANT)" Reply-To: Letodatus To: [email protected] Subject: trojan infection spreading from your network Hello abuse, http://www.fwlabs.com/~isoaq/Isoaq.zip contains a trojan which spreads quickly. Apropriate FBI bodies have been informed about the matter. This link is being heavily spam-advertised over ICQ network. Best regards, panimashli, Letodatus I tried to contact XRS via ICQ (9616630). When I searched for the number it was online, but when added him he went offline... The result of these mails was: 1) FWLABS disconnected the abusive page 2) XRS.NET ignored any mails 3) My page at thor.prohosting.com got disconnected as well Probably, some person interested knew about these two mails, and he has been informed quite fast. So I posted only to two emails, and only two parties were aware of the case. And some of them mailed to prohsting to disconnect me as a revenge. Was it FWLABS who had banned the trojan site upon receiving the first warning? I doubt... ----------------------------------------------------------------------------- 2000.09.10 Part deux: network solutions Next day I visited the trojan site and was not surprised to see it is up again. This time the trojan was hosted at 212.57.1.168 (abone.turk.net). 9616630 was still ofline. I've sent an offline message to him. Here comes the next email: Date: Wed, 10 May 2000 17:41:07 +0400 From: "Letodatus (AKA BorisNicolaich AKA Ex-GARANT)" Reply-To: Letodatus To: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] Subject: Some facts about new TROJAN EPIDEMY Hello , The ad to download a file containin the new trojan is being spread using spam methods over ICQ network, and, supoosedly, via email. The site advertised in the message is http://isoaq.xrs.net (Domain Name: XRS.NET Registrar: NETWORK SOLUTIONS, INC. Referral URL: www.networksolutions.com Name Server: NS1.FROGSPACE.NET Name Server: NS2.FROGSPACE.NET Updated Date: 07-may-1999) It is a URL redirect which points to a page under turk.net domain. The file which is proposed to download there is a program which is supposed to patch ICQ with a trojan attached to it. The trojan is packed into a ZIP file and is 441263 bytes long (isoaq.exe). The difference between the infected isoaq.exe and the original one is that the latter is about 100 Kbytes shorter and is never distributed in a ZIP file. By the time the trojan is not recognized by antivirus (tested with AVP). The infected package is hosted at http://212.57.1.168/%2F%6F%6B%61%6E%73/Isoaq.zip, (turk.net which is by some reason is registered to NETWORK SOLUTIONS, INC. as well) (Domain Name: TURK.NET Registrar: NETWORK SOLUTIONS, INC. Referral URL: www.networksolutions.com Name Server: DELTA.TURK.NET Name Server: OMEGA.TURK.NET Updated Date: 03-dec-1999) Best regards, Letodatus Hmm... isoaq.xrs.net points to abone.turk.net... both of the servers are registered by the same registrar - Network solutions? When I wrote to xrs.net they did nothing. Nothing, but my page at prohosting got banned. Network Solutions - Could it be a trace? It could. But I'm afraid a wrong one. Still, xrs.net are the one to be asked the first. It seems that the turkish trace leads to Russia. Sure, it gets even more interesting... ----------------------------------------------------------------------------- 2000.09.11 Yesterday's investigations proved that some russian networks are involved in the matter. Three days have already passed and AVP didn't make an update that would detect the trojan inside isoaq.exe, at least on an uninfected system. I sent it twice and received no more than an auto-reply. I think they make updates every seven days, but not in real time. Yesterday I also sent the trojan to Symantec, Panda Software, McAfee and eSafe. Panda was the only one who bothered to write a reply promising to do something, which at least didn't look very automaticle and came with a delay. I have some reasons to suppose that the trojan attached was GiP, or at least it's part have been used to build the infected isoaq.exe XRS at last have removed the redirect. Why don't they answer any email or icq message? Suspicious... Anyway I feel sorry I threw my anger at thm now. As for the 'turkish trace' it was a wrong way. TURK.NET is just a free page provider. There were two facts in favour of the 'turkish' version: 1. WWW.TURK.NET is a turkish provider 2. The directory name at the server sounds very turkish (at least to me): ~okans It could stand for OkanS, or Okan S. Searching altavista on "Okan" spurfs a bunch of turkish sites, so I thougth this name was more or less typical in Turkey. Besides, the guy tried to conceal the server name and directory (he wrote %2F%6F%6B%61%6E%73 instead of ASCII cleartext), so he stressed it out that way. ----------------------------------------------------------------------------- 2000.09.14 To days ago I've managed to trace the guy. This is the preliminative version. He's from Kaliningrad (Russia) and his nick is SpXXXXX. He used to help Mr. Nop writing GiP trojan and thus had some acient sources of the program. He modified them a bit, making the trojan mess with ISoaQ's registry so that it wouldn't show the first-launch warning. He didn't even bother to compress the trojan in the appropriate way. AVP (http://www.avp.com) detects it now as trojan.psw.gip.110b. The trojan's objectives remained the same - it sent ICQ and dial-up passwords.
Я буду знакомить читателей с последними новостями об этом деле. Спасибо Letodaus'у за предоставленную информацию. При проведении исследований использованы программы : Anti-Joiner v2.1 by Duke/SMF UnAspack v1.0.8.3 by BiWeiGuo