[Snort-sigs] db entry for sid 206
pbsarnac at ...427...
pbsarnac at ...427...
Sat Mar 9 15:10:03 EST 2002
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat
3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106;
sid:206; classtype:misc-activity; rev:3;)
This signature indicates that a DeepThroat client has ordered a DeepThroat
trojaned machine on $HOME_NET to open its CD-ROM drive.
A remote attacker with DeepThroat access has almost full control of the
trojaned machine, including file manipulation and download, keystoke
logging, password scavenging, and reboot. Additionally, the trojan includes
a port redirector, and IRC bot, and a tool to scan for other DeepThroat
infected machines. There are also prank-type annoyances.
DeepThroat is a full-featured remote access trojan.It contains many kiddie
tools, including window enumeration and manipulation; file searching
launching and deletion; remote graphics display sound playing and wallpaper
alteration; remote website launching and file download; shell
alteration(e.g. hiding systray or Start button), CD-ROM open/closing, mouse
button swapping; screen resolution change, display on/off; password
scavenging and screen
capturing. It also includes a remotely activated FTP server, a keystroke
logger, an IRC bot, a port redirector, and a tool to scan for other
DeepThroat servers. Using these tools, an attacker can not only take
control of the infected machine, but can use it as a relay to attack others
or scan for more infected machines from within your network.
Users must be actively enticed into installing the trojan, using any of the
normal social-engineering means. Alternatively, an attacker with physical
access to the machine could simply install it himself.
Ease of Attack:
Very simple. This is a point-and-click tool. The toughest part is
convincing a user to install it, and it could certainly be bound to another
binary for easier social-engineering.
Block UDP port 2140 (standard DeepThroat control port), TCP port 21
(standardDeepThroat FTP server), and TCP port 999 (DeepThroat keyboard
logger). DeepThroat may be set up to run on other ports than those listed
above... removal is the only sure mitigation.
Scan with an anti-virus tool and follow the removal instructions.
0000 00 50 56 ff ae cb 00 50 56 fe 18 10 08 00 45 00 .PVÿ®Ë.P Vþ....E.
0010 00 1e b2 1e 00 00 80 11 32 55 c0 a8 ea 84 c0 a8 ..²..... 2UÀ?ê.À?
0020 ea 85 ea 60 08 5c 00 0a 86 8f 30 32 85 00 00 00 ê.ê`.\.. ..02....
0030 00 01 00 00 00 00 20 46 48 45 50 45 ...... F HEPE
More information about the Snort-sigs