WARNING: Computer hackers mass-mailing trojans
- 12 Nov 2002*Computer hackers mass-mailing trojans*MessageLabs is currently intercepting hackers who are mass-mailing trojans to unsuspecting users. The spread of this new threat suggests that infected machines could potentially be used in some kind of large-scale coordinated Internet hacking activityThe details of the trojan are as follows: Trojan name: Maz Aliases: W32/Maz.A, Downloader-BO Number of copies seen so far: 280 Time & Date first Captured: 10 Nov 2002, 14:58 GMT Origin of first intercepted copy: UK Number of countries seen active: 32 Top five most active countries: United States 60.7% Canada 9.3% Korea (South) 5.0% Great Britain 3.2% Mexico 2.1% *Technical Details*The Maz trojan connects to a URL, which has since been closed down, to register the location of the machine which has been compromised. It then proceeds to download a further component. Currently, this additional component is a backdoor Trojan (Backdoor-AML), but this may readily change if the website is updated or changed. Amongst other things, Backdoor-AML allows the remote hacker to use the compromised machine as an SMTP relay using TCP port 4668, from which further attacks may be launched.By analysing the pattern of IP addresses from which MessageLabs have intercepted this Trojan to date, it is likely that the hacker is compromising PCs and then using these machines to send more copies of the Trojan. It is possible that the hacker may also be using open-relay mail servers. It appears that the hacker, or group of hackers, is trying to amass a virtual army of trojans to perform some kind of coordinated hacking activity in the future.*Behaviour*In the copies of e-mails that we have stopped, the mail created seems to have been generated from a poorly configured Ratware mailer. It seems as though the replaceable parameters have not been replaced. For example:Subject: mail (space) (space)Text: (space) Hello! (space) check (space) out (space) (space), the best (space) FREE (space) site! (space)Message ID: (variable number) (space) MessageNumber: (variable number) (space)Attachment: masteraz.exe The e-mail utilises the well-documented Microsoft MS01-020 vulnerability to automatically execute the attachment on un-patched systems. In copies that we have intercepted, it appears to have a website download component, and contains several encoded URLs XORed with 0x4D, for example:(link to website removed)/country/get.pl (link to website removed)/counter.cNB: counter.c is actually a backdoor program, which it downloads.*Comment*Skeptic� detected this trojan heuristically. No MessageLabs customers were affected. This email was sent to you because you subscribe to MessageLabs' Virus Alert service. You can cancel your subscription on the MessageLabs website at http://www.messagelabs.com/AlertUnsubscribeMessageLabs is a leading provider of Internet-level managed email security services. Through its SkyScan portfolio of services, MessageLabs customers are protected from email-borne threats such as viruses, unsolicited mail and pornographic material, before such content comes anywhere near their network boundaries.________________________________________________________________________This email has been scanned for all viruses by the MessageLabs SkyScanservice. For more information on a proactive anti-virus service workingaround the clock, around the globe, visit http://www.messagelabs.com________________________________________________________________________
"Live in peace with the animals. Animals bring love to our hearts, and warmth to our souls."
"He who is cruel to animals becomes hard also in his dealings with men. We can judge the heart of a man by his treatment of animals." Immanuel Kant
Do you Yahoo!?
U2 on LAUNCH - Exclusive medley & videos from Greatest Hits CD
[Non-text portions of this message have been removed]