История развития скандала вокруг фальсификации ISoaQ v0.72
02-May-2000
Letodatus выпустил новую версию своей (очень популярной) программы ISoaQ v0.72
Она поставляется в виде SFX-архива, содержащего файлы :
isoaq.exe - 354304
isoaq.txt - 18982
packinfo.txt - 114
Файл packinfo.txt имеет вид :
===== Cut =====
[ISoaQ]
HiVer=0
LoVer=72
Build=0000
Version=0.72
'This one is important
PackVer=45
PackDate=2000/05/02
===== Cut =====
Программа выложена на официальную страничку http://isoaq.da.ru
07-May-2000
Сегодня, а возможно и ранее, неизвестный злоумышленник фальсифицирует релиз ISoaQ v0.72.
Файл isoaq.exe троянизирован приватной неупакованной версией PSW-троянца GIP v1.10.
Программа перепакована в ZIP архив и размещается на турецком сервере turk.net.
Турецкий хостинг выбран видимо потому, что до него сложно добраться федеральным службам.
Об этом становится известно Letodatus'у и он развивает бурную деятельность по выявлению
и наказанию злоумышленника. Выяснилось, что изначально троян хостился на fwlabs.com,
но там он просуществовал не более 12 часов.
Файл packinfo.txt имеет вид :
===== Cut =====
[ISoaQ]
HiVer=0
LoVer=72
Build=0002
Version=0.72
'This one is important
PackVer=47
PackDate=2000/05/06
===== Cut =====
10-May-2000
Сегодня в 14.44 был заменен троянизированный файл на сервере turk.net.
Теперь архив содержит файлы :
isoaq.exe - 4000303 10.05.2000
isoaq.txt - 19026 07.05.2000
packinfo.txt - 114 06.05.2000
Вот что говорит программа Anti-Joiner v2.1 об этом троянизированном файле :
===== Cut =====
**** Anti-Joiner Cleaner/Extractor v2.1 (c) by Duke/SMF *** [email protected] ****
**** Extract 23 glues *** Clean 41 trojans *** Detect 3 glues *** Total: 67 ****
¦ Detection : trojan Gip v?.?? detected !
¦ Extracted : TROJAN.ICO - file icon
¦ Extracted : TROJAN.EXE - glue
¦ Extracted : ISOAQ.EXE - host file
¦ More info :
v Mail subj : GIP - Passwords
v Mail : [email protected]
v Program : isoaq.exe
v File name : wintpi32.exe
v Server : smtp.mail.com
v Mail from : Michael
v Home page : www.gip.f2s.com/gip
===== Cut =====
На этот раз файл isoaq.exe троянизирован новой упакованной версией PSW-троянца
GIP (version 1.11, build 1089).
Троянец упакован ASPack v1.0.8.3, размер файла после распаковки - 86016.
В распакованном файле видны очень интересные строчки (смещение - текст) :
$10258 [GIP DATA] Version: %s ID: %s PIN: %d Carrier: %s GipSvr: %s 1.11 1234
$102ac Frame root@mailcccom mailcc.com [email protected] mail.visualcities.com
[email protected] mail1.nettaxi.com 209.176.88.31
$1039c Pinremove Software\BNL\ISoaQ LastVersionLaunched ISoaQ 0.72 GIP ver: %d build: %d
Это говорит о том, что это GIP 1.11, специальная версия "заточенная" под ISoaQ.
При запуске пораженного файла, троянец излечивает жертву; размер излеченной жертвы равен
354816 байт. Троянец создает файл C:\WINDOWS\SYSTEM\wintpi32.exe и прописывается в реестр :
[HKEY_USERS\.Default\Software\Microsoft\Windows]
"Pin"="212754"
"File1"="C:\\WINDOWS\\SYSTEM\\wintpi32.exe"
"File2"="C:\\Work\\isoaq.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Config"="C:\\WINDOWS\\SYSTEM\\wintpi32.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Sevice"="C:\\WINDOWS\\SYSTEM\\wintpi32.exe"
12-May-2000
Время делать выводы. После общения с Letodatus'ом я считаю, что хакер-троянизатор из России,
поскольку и ISoaQ, и GIP хостятся на русскоязычных серверах, да и адрес на mail.ru говорит
сам за себя. Детектирование первой версии троянца добавлено в базы Panda Antivirus,
в сегодняшнем апдейте AVP появилась запись Trojan.PSW.Gip.110.b.
В скором времени ожидается детектирование Trojan.PSW.Gip.111.b.
На сайте Letodaus'a по адресу http://www.ipc.ru/~borka/interpol.txt находится полное
изложение событий, сделанное Letodaus'ом. Полный текст приводится ниже :
The story.
2000.09.09
After having been informed of new trojan, I wote two emails to internet services
that had something to do with the matter:
Return-Path:
Date: Wed, 10 May 2000 00:18:42 +0400
From: "Letodatus (AKA BorisNicolaich AKA Ex-GARANT)"
Reply-To: Letodatus
To: [email protected], [email protected]
Subject: a fast spreading trojan
Hello abuse,
Your redirect, isoaq.xrs.net points to a trojan heavily advertised
using spam methods over ICQ network. Removing it would stop a
probable epidemy.
The hosting ISP, as well as Internet security enforcement bodies
have been informed about the matter. Thank you for your attention to
this case.
Best regards, panimashli,
Letodatus
Date: Wed, 10 May 2000 00:13:58 +0400
From: "Letodatus (AKA BorisNicolaich AKA Ex-GARANT)"
Reply-To: Letodatus
To: [email protected]
Subject: trojan infection spreading from your network
Hello abuse,
http://www.fwlabs.com/~isoaq/Isoaq.zip contains a trojan which
spreads quickly.
Apropriate FBI bodies have been informed about the matter.
This link is being heavily spam-advertised over ICQ network.
Best regards, panimashli,
Letodatus
I tried to contact XRS via ICQ (9616630). When I searched for the number
it was online, but when added him he went offline...
The result of these mails was:
1) FWLABS disconnected the abusive page
2) XRS.NET ignored any mails
3) My page at thor.prohosting.com got disconnected as well
Probably, some person interested knew about these two mails, and he
has been informed quite fast. So I posted only to two emails, and only
two parties were aware of the case.
And some of them mailed to prohsting to disconnect me as a revenge.
Was it FWLABS who had banned the trojan site upon receiving the first
warning? I doubt...
-----------------------------------------------------------------------------
2000.09.10
Part deux: network solutions
Next day I visited the trojan site and was not surprised to see it is up again.
This time the trojan was hosted at 212.57.1.168 (abone.turk.net).
9616630 was still ofline. I've sent an offline message to him.
Here comes the next email:
Date: Wed, 10 May 2000 17:41:07 +0400
From: "Letodatus (AKA BorisNicolaich AKA Ex-GARANT)"
Reply-To: Letodatus
To: [email protected], [email protected], [email protected],
[email protected], [email protected], [email protected]
Subject: Some facts about new TROJAN EPIDEMY
Hello ,
The ad to download a file containin the new trojan is being
spread using spam methods over ICQ network, and, supoosedly,
via email.
The site advertised in the message is http://isoaq.xrs.net
(Domain Name: XRS.NET
Registrar: NETWORK SOLUTIONS, INC.
Referral URL: www.networksolutions.com
Name Server: NS1.FROGSPACE.NET
Name Server: NS2.FROGSPACE.NET
Updated Date: 07-may-1999)
It is a URL redirect which points to a page under turk.net domain.
The file which is proposed to download there is a program which is
supposed to patch ICQ with a trojan attached to it.
The trojan is packed into a ZIP file and is 441263 bytes long
(isoaq.exe).
The difference between the infected isoaq.exe and the original one
is that the latter is about 100 Kbytes shorter and is never
distributed in a ZIP file.
By the time the trojan is not recognized by antivirus (tested with
AVP).
The infected package is hosted at
http://212.57.1.168/%2F%6F%6B%61%6E%73/Isoaq.zip, (turk.net which is
by some reason is registered to NETWORK SOLUTIONS, INC. as well)
(Domain Name: TURK.NET
Registrar: NETWORK SOLUTIONS, INC.
Referral URL: www.networksolutions.com
Name Server: DELTA.TURK.NET
Name Server: OMEGA.TURK.NET
Updated Date: 03-dec-1999)
Best regards,
Letodatus
Hmm... isoaq.xrs.net points to abone.turk.net... both of the servers
are registered by the same registrar - Network solutions? When I wrote
to xrs.net they did nothing. Nothing, but my page at prohosting got
banned. Network Solutions - Could it be a trace? It could.
But I'm afraid a wrong one. Still, xrs.net are the one to be asked
the first.
It seems that the turkish trace leads to Russia. Sure, it gets even more
interesting...
-----------------------------------------------------------------------------
2000.09.11
Yesterday's investigations proved that some russian networks are involved in
the matter. Three days have already passed and AVP didn't make an update that
would detect the trojan inside isoaq.exe, at least on an uninfected system.
I sent it twice and received no more than an auto-reply. I think they make
updates every seven days, but not in real time. Yesterday I also sent the
trojan to Symantec, Panda Software, McAfee and eSafe.
Panda was the only one who bothered to write a reply promising to do something,
which at least didn't look very automaticle and came with a delay.
I have some reasons to suppose that the trojan attached was GiP, or at least
it's part have been used to build the infected isoaq.exe
XRS at last have removed the redirect. Why don't they answer any email or icq
message? Suspicious... Anyway I feel sorry I threw my anger at thm now.
As for the 'turkish trace' it was a wrong way. TURK.NET is just a free page
provider. There were two facts in favour of the 'turkish' version:
1. WWW.TURK.NET is a turkish provider
2. The directory name at the server sounds very turkish (at least to me):
~okans
It could stand for OkanS, or Okan S. Searching altavista on "Okan"
spurfs a bunch of turkish sites, so I thougth this name was more or
less typical in Turkey.
Besides, the guy tried to conceal the server name and directory
(he wrote %2F%6F%6B%61%6E%73 instead of ASCII cleartext), so he stressed
it out that way.
-----------------------------------------------------------------------------
2000.09.14
To days ago I've managed to trace the guy. This is the preliminative version.
He's from Kaliningrad (Russia) and his nick is SpXXXXX. He used to help Mr. Nop
writing GiP trojan and thus had some acient sources of the program. He modified
them a bit, making the trojan mess with ISoaQ's registry so that it wouldn't
show the first-launch warning. He didn't even bother to compress the trojan in
the appropriate way. AVP (http://www.avp.com) detects it now as trojan.psw.gip.110b.
The trojan's objectives remained the same - it sent ICQ and dial-up passwords.
Я буду знакомить читателей с последними новостями об этом деле.
Спасибо Letodaus'у за предоставленную информацию.
При проведении исследований использованы программы :
Anti-Joiner v2.1 by Duke/SMF
UnAspack v1.0.8.3 by BiWeiGuo
