[Snort-sigs] db entry for sid 198

Patrick Sarnacke sarnak at ...428...
Sat Mar 9 19:25:28 EST 2002

alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 
All Window List Client Request"; content:"370"; reference:arachnids,106; 
sid:198; classtype:misc-activity; rev:3;) 
This signature indicates that a DeepThroat client has requested a list of all 
open windows from a DeepThroat trojaned machine on $HOME_NET.
A remote attacker with DeepThroat access has almost full control of the 
trojaned machine, including file manipulation and download, keystoke logging, 
password scavenging, and reboot. Additionally, the trojan includes a port 
redirector, and IRC bot, and a tool to scan for other DeepThroat infected 
machines. There are also prank-type annoyances.
Detailed Information:
DeepThroat is a full-featured remote access trojan.It contains many kiddie 
tools, including window enumeration and manipulation; file searching 
launching and deletion; remote graphics display sound playing and wallpaper 
alteration; remote website launching and file download; shell alteration(e.g. 
hiding systray or Start button), CD-ROM open/closing, mouse button swapping; 
screen resolution change, display on/off; password scavenging and screen 
capturing. It also includes a remotely activated FTP server, a keystroke 
logger, an IRC bot, a port redirector, and a tool to scan for other 
DeepThroat servers. Using these tools, an attacker can not only take control 
of the infected machine, but can use it as a relay to attack others or scan 
for more infected machines from within your network.
Attack Scenarios:
Users must be actively enticed into installing the trojan, using any of the 
normal social-engineering means. Alternatively, an attacker with physical 
access to the machine could simply install it himself. 
Ease of Attack:
Very simple. This is a point-and-click tool. The toughest part is convincing 
a user to install it, and it could certainly be bound to another binary for 
easier social-engineering.
False Positives:

False Negatives:

Corrective Action:
Block UDP port 2140 (standard DeepThroat control port), TCP port 21 
(standardDeepThroat FTP server), and TCP port 999 (DeepThroat keyboard 
logger). DeepThroat may be set up to run on other ports than those listed 
above... removal is the only sure mitigation.
Scan with an anti-virus tool and follow the removal instructions.

Additional References:
Packet Capture:
0000  00 50 56 ff ae cb 00 50  56 fe 18 10 08 00 45 00   .PVÿ®Ë.P Vþ....E.
0010  00 1f 15 02 00 00 80 11  cf 70 c0 a8 ea 84 c0 a8   ........ ÏpÀšê.Àš
0020  ea 85 ea 60 08 5c 00 0b  53 88 33 37 30 6b 50 10   ê.ê`.\.. S.370kP.
0030  1e e8 05 bb 00 00 00 00  00 00 00 00               .è.».... ....    

More information about the Snort-sigs mailing list