Unknown Trojan (reaching out to kicker555.no-ip.info)
Results 1 to 9 of 9

Thread: Unknown Trojan (reaching out to kicker555.no-ip.info)

Hybrid View

  1. #1

    Unknown Trojan (reaching out to kicker555.no-ip.info)

    Hey all, long time no see.

    I've discovered a trojan that may include a keylogger on one of my computers today. Quite by accident while repairing some damage done to my DSL modem (my fault!), I noticed it logs the addresses of all websites that computers on my internal network are trying to reach.

    Watching my traffic with Wireshark, I notice a number of DNS resolution queries for kicker555.no-ip.info. That's a dynamic domain provider, resolving the particular domain to 8.4.112.108 (as of today). After the resolution completes the infected PC contacts that IP address on port 81. A scan of that address/port show it to be filtered, with a service running (nmap reports it as hosts2-ns - a nameserver?)

    I suspect there may be a keylogger because a Google search on some terms (like the IP address and DNS name) have returned a few results - some saw files with their keystrokes.

    There's very, very little information out there, no one has really removed or researched it. Of course, SpyBot S&D and Symantac AV find nothing.

    Any suggestions? I'd like to figure out what running services are triggering those DNS queries, where the binaries exist, and eventually how I got them here.

    At this point I've used my network hardware to block any activity to those domains, but I know the trojan is still active on this system.

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    8.4.112.108? D@mn, that ip address belongs to Level3. S-t-r-a-n-g-e,
    they're a "backbone" outfit. Hard to imagine much rogue traffic coming
    or going from them.

    Run an online scan: Panda and Trendmicro are good. Might also try AVG's
    anti-spyware. I believe an app like Activescan or TCPview will give you the
    .exe accessing that ip address if you are watching it. MS's port reporter
    would log the app probably. Sounds like you got your work cut out for you.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    TCPview isn't really telling me anything - if there's a rootkit involved it wouldn't surprise me if it's hiding itself from WinXP. That IP address may be registered to Level3, but I'm guessing they've partitioned it out and leased part of it off...

    I'll check into the online scanners, though. Thanks. Maybe rootkit revealer can help..

  4. #4
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Woops, Activescan, meant Active Ports.

    Yeah, I didn't think about it until after I posted, but TCPview, Port Reporter
    and Active Ports aren't going to give you anything until they connect with
    an ip address. And apparently you got this stuff blocked.

    I'd tread lightly around any Level3 ip's. I know for a fact they do some DoD
    work. You never know what's going into those logfiles.

    edit -- you might try IceSword. Latest is v1.20.
    Last edited by brokencrow; February 26th, 2007 at 03:59 AM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #5

    Got it..

    The Trendmicro site you pointed me toward got me on the right track. After a little looking around I found it out to be this:

    <snip>
    Discovered: February 18, 2007
    Updated: February 19, 2007 2:48:01 AM
    Type: Trojan
    Infection Length: 29,053 Bytes
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

    When the Trojan is first installed, it creates the following files:
    %ProgramFiles%\Bifrost\server.exe
    %ProgramFiles%\Bifrost\klog.dat

    The Trojan then creates the following registry entry so that it runs every time Windows starts:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\"stubpath" = "%ProgramFiles%\Bifrost\server.exe s"

    It then creates the following registry subkeys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
    HKEY_CURRENT_USER\Software\Bifrost

    The Trojan launches Internet Explorer in hidden mode and injects itself into the iexplorer.exe process in an attempt to bypass any firewall that may be running.

    It then opens a back door by contacting the [REMOVED]-life.no-ip.info domain through TCP port 81 allowing it to perform various actions on the compromised computer, such as downloading files from and to the Internet, and stealing confidential information.
    </snip>

    Fairly recent, too, and it fits the M.O. of what I saw in the raw packets.

    ... now, as to the infection vector... where's my PC been?!

    Thanks for the insight, it helped.

  6. #6
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    Quote Originally Posted by brokencrow
    8.4.112.108? D@mn, that ip address belongs to Level3. S-t-r-a-n-g-e,
    they're a "backbone" outfit. Hard to imagine much rogue traffic coming
    or going from them.
    Level 3, same as leased rack-space/colocation hosting?

    so the trojan has access permission to IP address, and all other clients are blocked. cant you still track their location (or hosting company) if you have the IP? and if you contact the host, will they ban and take legal actions against this guy, or void ur inquiry? just seems very ignorant leaving a direct path to himself... unless he's well protected. explainations???

  7. #7
    @ŢΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,694
    Quote Originally Posted by brokencrow
    8.4.112.108? D@mn, that ip address belongs to Level3. S-t-r-a-n-g-e,
    they're a "backbone" outfit. Hard to imagine much rogue traffic coming
    or going from them.

    Run an online scan: Panda and Trendmicro are good. Might also try AVG's
    anti-spyware. I believe an app like Activescan or TCPview will give you the
    .exe accessing that ip address if you are watching it. MS's port reporter
    would log the app probably. Sounds like you got your work cut out for you.
    There are hundreds, if not thousands of local ISPs who's users will reoslve to a Level3 host.
    Real security doesn't come with an installer.

  8. #8
    Member e><ius's Avatar
    Join Date
    Mar 2007
    Location
    So.Cal.
    Posts
    61
    oh. basicly that hacker is real good. good at faking you out!

  9. #9
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    that netrange belongs to no-ip, silly rabbits. (lol @ DoD)

    http://ws.arin.net/whois/?queryinput...T-8-4-112-64-1

Similar Threads

  1. Trojans - Ports
    By GbinaryR in forum AntiVirus Discussions
    Replies: 11
    Last Post: October 30th, 2008, 10:33 AM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Reverse-Engineering the First Pocket PC Trojan, Part 1
    By MrLinus in forum AntiVirus Discussions
    Replies: 1
    Last Post: October 12th, 2004, 06:26 AM
  4. My firewall block this attempt.. but need info
    By LordChaos in forum Firewall & Honeypot Discussions
    Replies: 19
    Last Post: October 4th, 2002, 12:58 PM
  5. A new Trojan for *Nix...
    By [WebCarnage] in forum Security Archives
    Replies: 0
    Last Post: January 10th, 2002, 09:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •