Lazy trojan?
Results 1 to 8 of 8

Thread: Lazy trojan?

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    27

    Lazy trojan?

    Some guy I thought was better than this sent me some stuff infected with "Backdoor.SdBot.05.gen", how can I figure out how that trojan is configured or if it's an infected file at all? I remember seeing some apps which just stripped all the configureation settings from the awsome sub7/netbus trojans, but I dunno about SdBot (and before anyone jumps up and start screaming, that stuff up there was irony). And how about just asking him? Well, believe me I will ask whenever I get the hold of him again..

    Anyway, I've tried to monitor packets and registery changes. Which resulted in nothing, nothing at all.

    Any help would be appreciated.

  2. #2
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    An SDBOT/SGBOT are irc trojan bots mainly used for DoS attacks, and sometimes even possible to obtain passwords. Below is an attachment which will give you an example of one of these bots.

    NOTE: I have stripped the actual bot from the attachment below, leaving just the documentation. I dont want to have people download the actual bot due to me
    This attachment is an actual command reference for a SDBOT, so it will give you the ideas of its capabilities. Once the bot is configured, its compiled into an .exe file. Source code is NOT included here!

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  3. #3
    Junior Member
    Join Date
    Oct 2002
    Posts
    27
    Yeah I knew it was an irc trojan bot, and that it's compiled into .exe's (trojan itself is 17kb or something). Sourcecode is far from interesting here, I just wanted to know what this fella wanted his trojan to do. I consider myself pretty secure here, so the trojan wouldn't really work anyway as all traffic is routed to nowhere.

    Oh well, guess he can explain himself better than anyone here, thanks anyway

  4. #4
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Well, one way of finding out is by using a packer sniffer, and sniffing all packets as what goes where, or what comes from where, including the commands issued itself. Ethereal might be your friend in this case. Also using netstat might be neat, since it will tell you where the bot is connected too (which irc server for example). There are many ways to filter out where these people are, and what they are actually doing. A good configured firewall is helpful here. At the time when this version of the bot came out (the one in my attachment), no AV could pick it up. Thats about a year old now. Dont rely on AVs for that. The newest versions of these bots might still be invisible to AV scanners or other spyware tools.

    A lil rule of thumb here. Never think your safe, as it would lead to lack of security. Be paranoid.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  5. #5
    Junior Member
    Join Date
    Oct 2002
    Posts
    27
    Hehe, I'm very paranoid, but after a week with having it running on a PI 133MHz without seeing any traffic at all, I'm.. Kinda getting the feeling this is some kinda hoax. Perhaps that trojan scanner is messing with me. And yea, that's ethereal running trough the whole week, shoulda picked up something if it was a trojan..

  6. #6
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    not necessarily -- if the trojan has a timebomb where it will activate on a certain date, or has to be enabled by some remote command through a backdoor it opens then it wouldn't show any traffic
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  7. #7
    Junior Member
    Join Date
    Oct 2002
    Posts
    27
    Ok, I'll just leave it running and log everything that goes on then. After all it's interesting seeing what he was thinking of doing, and, well, he can just mess as much as he wants with the old computer which anyway isn't doing anything. But if he goes to doing something malicous which he knows I'd hate then, well. Atleast I will know.

  8. #8
    Junior Member
    Join Date
    Oct 2002
    Posts
    27
    Gah, been looking trough the source, and.. What a waste...

    so.
    Do anyone know of any ways to get some info from this trojan? It doesn't do anything atm, so I can't even see where it is supposed to connect to for commands. It would be fun compiling some kinda "honeypot" which responds to his commands with questioning what he's doing on my computer without asking me for permission.

    I have both .exe's (before and after melting), and, well.. It seems like it runs the standard syscfg32.exe registery startup, should be a sign telling he haven't altered the trojan too much.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •