February 25th, 2007, 11:27 PM
Unknown Trojan (reaching out to kicker555.no-ip.info)
Hey all, long time no see.
I've discovered a trojan that may include a keylogger on one of my computers today. Quite by accident while repairing some damage done to my DSL modem (my fault!), I noticed it logs the addresses of all websites that computers on my internal network are trying to reach.
Watching my traffic with Wireshark, I notice a number of DNS resolution queries for kicker555.no-ip.info. That's a dynamic domain provider, resolving the particular domain to 18.104.22.168 (as of today). After the resolution completes the infected PC contacts that IP address on port 81. A scan of that address/port show it to be filtered, with a service running (nmap reports it as hosts2-ns - a nameserver?)
I suspect there may be a keylogger because a Google search on some terms (like the IP address and DNS name) have returned a few results - some saw files with their keystrokes.
There's very, very little information out there, no one has really removed or researched it. Of course, SpyBot S&D and Symantac AV find nothing.
Any suggestions? I'd like to figure out what running services are triggering those DNS queries, where the binaries exist, and eventually how I got them here.
At this point I've used my network hardware to block any activity to those domains, but I know the trojan is still active on this system.
By GbinaryR in forum AntiVirus Discussions
Last Post: October 30th, 2008, 10:33 AM
By ThePreacher in forum Miscellaneous Security Discussions
Last Post: December 14th, 2006, 09:37 PM
By MrLinus in forum AntiVirus Discussions
Last Post: October 12th, 2004, 06:26 AM
By LordChaos in forum Firewall & Honeypot Discussions
Last Post: October 4th, 2002, 12:58 PM
By [WebCarnage] in forum Security Archives
Last Post: January 10th, 2002, 09:10 PM