-
February 25th, 2007, 11:27 PM
#1
Member
Unknown Trojan (reaching out to kicker555.no-ip.info)
Hey all, long time no see.
I've discovered a trojan that may include a keylogger on one of my computers today. Quite by accident while repairing some damage done to my DSL modem (my fault!), I noticed it logs the addresses of all websites that computers on my internal network are trying to reach.
Watching my traffic with Wireshark, I notice a number of DNS resolution queries for kicker555.no-ip.info. That's a dynamic domain provider, resolving the particular domain to 8.4.112.108 (as of today). After the resolution completes the infected PC contacts that IP address on port 81. A scan of that address/port show it to be filtered, with a service running (nmap reports it as hosts2-ns - a nameserver?)
I suspect there may be a keylogger because a Google search on some terms (like the IP address and DNS name) have returned a few results - some saw files with their keystrokes.
There's very, very little information out there, no one has really removed or researched it. Of course, SpyBot S&D and Symantac AV find nothing.
Any suggestions? I'd like to figure out what running services are triggering those DNS queries, where the binaries exist, and eventually how I got them here.
At this point I've used my network hardware to block any activity to those domains, but I know the trojan is still active on this system.
Similar Threads
-
By GbinaryR in forum AntiVirus Discussions
Replies: 11
Last Post: October 30th, 2008, 09:33 AM
-
By ThePreacher in forum Miscellaneous Security Discussions
Replies: 17
Last Post: December 14th, 2006, 09:37 PM
-
By MrLinus in forum AntiVirus Discussions
Replies: 1
Last Post: October 12th, 2004, 05:26 AM
-
By LordChaos in forum Firewall & Honeypot Discussions
Replies: 19
Last Post: October 4th, 2002, 11:58 AM
-
By [WebCarnage] in forum Security Archives
Replies: 0
Last Post: January 10th, 2002, 09:10 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|