Current Main Threats - GLOBAL
OPTIX LITE
Optix Lite is an exceedingly dangerous trojan in heavy use at this time. Optix Lite is an uploader, or mini trojan with the capability to terminate known security software. It will shut down all well known security programs by scanning for the name of the running programs. It will also continually scan for the presence of these programs and terminate them if they have been restarted. Once the hacker has access with Optix Lite, they will upload and install a larger trojan such as those described in this section, giving complete and unblockable access to the machine. More often that not, users are unaware their security software is no longer running. Optix Lite is the single most dangerous trojan threat at the current time, it is already stable and reliable, and hard to detect with file scanners as it is released unpacked ready for modifications. We have released an advisory here with more details on the latest Optix Lite release, at the time of writing.
Optix Lite is being used by a huge number of hackers. Use should remain steady and grow even further with more releases, expect Optix Lite to remain popular for at least the next three to five years.
All versions of Optix Lite are detected by TDS.
0.1, 0.2, 0.2 GW, 0.3, 0.3b, 0.3c, 0.4, 0.4a, 0.4b, 0.4c, 0.4N
OPTIX PRO
Optix Pro is very popular as the full featured trojan counterpart to Optix Lite. This trojan is very dangerous, and has meant a lot of research here at the DiamondCS Lab. Optix Pro has a full feature set, including what users are saying is the best screen and webcam capture of any trojan to date, along with rock solid stability.
TDS-3 has the ability to detect this trojan in file scans even if manually modified. The trojan should still be flagged with a positive identification due to advanced detection techniques employed. Executable compression does not stop TDS from detecting new variants, and version 1.1 did not even need analysis to be detected. We have further strengthened this detection since the release of version 1.1 to be sure of good detection rates. In memory, TDS should find all possible variants of Optix Pro unless it was rebuilt from scratch. We have released an advisory here with more details on Optix Pro.
Optix Pro is being used by a lot of trojan users in the wild, and heavy use should continue for at least the next three years or more.
All current versions of Optix Pro are detected by TDS.
1.0, 1.1
SUBSEVEN
SubSeven is the most globally-widespread trojan and has overtaken all others to be widely recognised as the most popular Remote Access Trojan for the year 2001. SubSeven is currently at version 2.2, and while very buggy it is still heavily in use. SubSeven 2.2 brought new methods of autostarting and infects the system in many ways to keep itself installed. Development on SubSeven continues.
SubSeven is in heavy use throughout the world and will most likely remain so for at least the next three years. The newest version 2.2 shaped as a serious threat and new features were to make using multiple victims in a DDoS attack easy to coordinate. Most users are using 2.1.4 DEFCON and modified variants, for its stability. TDS easily detects SubSeven variants in memory.
All variants of SubSeven are detected by TDS.
1.0, 1.1, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 2.0, 2.0 Unpacked, Apocalypse, Apocalypse.b, "Undetectable", 2.1, 2.1.b, 2.1.c, 2.1.d, 2.1 Mod, 2.1 Patched, 2.1 Stealth, 2.1 GOLD, 2.1 GOLD.a, 2.1 GOLD.b, 2.1 MUIE, 2.1 MUIE Unpacked, 2.1 MUIE.a, 2.1 MUIE.b, 2.1 MUIE.c, 2.1 MUIE.d, 2.1 MUIE.e, 2.1 BONUS, 2.1 BONUS Unpacked, 2.1 BONUS (Mod a,b,c), 2.1 BONUS.a, 2.1 BONUS.b, 2.1 BONUS.c, 2.1 BONUS.d, 2.1 DEFCON, 2.1 DEFCON.a, 2.1 DEFCON.b, 2.1 DEFCON.c, 2.1 DEFCON (MRX Mod), 2.2beta, 2.2beta NT, 2.2, 2.2a, 2.2b, 2.2c, 2.2d
BIONET
BioNet is a trojan rising quickly in popularity and is a very serious threat. New features in versions 3.x mean this trojan is capable of shutting down many defence programs these being popular trojan scanners, antivirus scanners and firewall software. The trojan is also capable of corrupting some of these programs installations in such a way that they cannot be reinstalled.
BioNet is already widespread and should climb to very heavy use within the next six to twelve months, and remain so for at least the next three to five years.
All available and old versions of BioNet are detected by TDS.
0.84, 0.871, 0.92, 0.92 NT, 2.10x, 2.21, 2.21 NT, 2.61, 2.81a, 2.9x, 3.0, 3.02, 3.04, 3.05, 3.06, 3.07, 3.08, 3.09, 3.10, 3.11, 3.12, 3.13, 3.14 Beta, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19 Beta, 4.0.1, 4.00.02, 4.00.03
BioNet Lite is also detected
1.0 (Beta)
MOSUCKER
MoSucker is now a very popular trojan. This trojan has become very dangerous, and has prompted extra research here at the DiamondCS Lab. MoSucker is becoming a very serious threat, as new features in version 2.2 mean this trojan is capable of shutting down many defence programs and this is even configurable for the trojan user. Popular trojan scanners, antivirus scanners, firewall software and more can be targeted at will, and prevented from starting. To worsen the danger, there are anti removal features which make manual removing difficult for the novice, and the unique server creator will generate different servers, and can be very difficult to detect from file scanning. TDS-3 has been given the ability to detect this trojan in file scans every time, and even if further polymorph technology was built into the server creator TDS-3 has the ability to rise to the task. Even manually modifying the trojan would still mean a positive identification.
MoSucker is already being used significantly, and should climb to very heavy use within the next six to twelve months, and remain so for at least the next three years or more. MoSucker is no longer in development.
All known versions of MoSucker are detected by TDS.
1.0, 1.0a, 1.1, 1.1a, 1.12, 2.0, 2.1 Beta, 2.1, 2.11 Beta, 2.2
INFECTOR
Infector is a popular trojan that is being used more and more recently. The Infector trojan is a very serious threat, it has close to all the features of SubSeven, including port redirection features. We have released an advisory here with more details on the latest Infector release, 2.0 Bonus.
Infector is widespread and should stay in heavy use for at least the next two to four years.
TDS will detect all known Infector variants.
1.0, 1.3, 1.4, 1.4.2, 1.6, 1.6a, 1.6b, 1.7, 1.7 Bonus, 1.7b, 1.7c, 1.8 Beta, 1.8, 1.9 Alpha, 1.9 Alpha Unpacked, 2.0 Alpha, 2.0 Alpha Unpacked, 2.0, 2.0 Unpacked, 2.0 Bonus, 2.0 Bonus Unpacked
UNDETECTED
Undetected is also becoming very popular, and is one trojan with very powerful features. In the latest version Undetected is very dangerous, under Win9x or ME the server is completely invisible, hiding itself in another running process. Detection that the trojan is resident by normal methods is extremely difficult and even with the power of TDS detection is not easy, but even Undetected 3.3 cannot hide from TDS.
Undetected is also already becoming widespread and should be highly used for at least the next few years, possibly a long time. With its technical specifications Undetected could become an extreme threat.
TDS will detect all known released versions of Undetected.
Muerte 1.1, 4fk 2.2, SE 2.3, SE 2.3a, SE 2.3b, 3.0, SE 3.0, SE 3.0a, 3.1, 3.1a, SE 3.2, 3.3, 3.31, 3.32
Y3K RAT
Y3K Rat is a definite threat to home PC users. This trojan has reached version 1.6. It is now popular, the newest version made headlines on many security related news websites. Y3K Rat is another Remote Access Trojan with powerful features. It has the ability to terminate known running processes such as firewalls and virus scanners, a popular feature of the newest Remote Access Trojans. Detection that the trojan is resident is not a problem for TDS-3, with multiple scans having the ability to reveal an infection.
Y3K Rat is another widespread trojan and should be used for at least the next few years, possibly longer. With its recent versions it has proven itself a serious threat.
TDS will detect all known released versions of Y3K Rat.
1.0, 1.1, 1.2, 1.3, 1.4, 1.4b, 1.4c, 1.5, 1.6, 1.6 Unpacked, 1.6a, 1.6a Unpacked, 1.6 MS, 1.6 MS Unpacked
NETBUS 1.x
Infection is still hugely widespread, and ongoing. NetBus 1 is still a trojan of choice for many hackers. Listening on TCP 12345 will snare most connection attempts. The majority of these connection requests on TCP 12345 will be from probes - programs or possibly worms scanning for open servers. Due to the openness of the NetBus 1.x protocol, a lot of programmers have developed utilities, programs, worms, and all sorts of things that are based around the Netbus server.
This is a medium-term problem. NetBus 1.x should still be in use for a few more years.
NETBUS 2.x is not so much a problem, due to encrypted communications, and also the fact that NetBus 2 has gone shareware.
All variants of NetBus are detected by TDS.
1.20, 1.53, 1.60, 1.70, 1.70 (Mod), 1.70 (Spanish), 2.0 (Mod), 2.0 Pro (Beta), 2.0 Pro, 2.01, 2.10, 2.x (Cryo Mod)
NetBus droppers: BOWhack, Pie Bill Gates, Whack-A-Mole 1.1, Whack-A-Mole 1.7, Movie trojan, Picture trojan
IRC THREATS
IRC is a primary worm breeding ground. Open, text-based protocols such as IRC, Email (SMTP), etc are the most common protocols that worm programmers use to write propagation routines into their worm.
Upon joining an IRC channel, one of the following may occasionally automatically happen to you:
- receive a connection request on TCP 12345, testing the existance of NetBus.
- receive a connection request on TCP 1243, testing the existance of SubSeven.
- receive a connection request on TCP 27374, testing the existance of SubSeven 2.x.
- receive an encrypted packet on UDP 31337, testing the existance of Back Orifice.
- receive a DCC SEND notice on IRC, with either a .exe, .com, .ini, .bat, .pif, .vbs, .shs .hta or .htm file.
- receive a private message telling you to perform a command beginning with //$decode
It will be a script doing all the work here, not a human. The human attacker will be sitting by, waiting for his script to show some results.
DiamondCS have released a small freeware program to detect most IRC worms, see the IRClean page here