ACK Tunneling Trojans

Discussion in 'malware problems & news' started by Paul Wilders, Feb 25, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Read the full story here:

    www.securiteam.com/securityreviews/5OP0P156AE.html
     
  2. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    Ah, didn't know you posted this.  I was just reading this a few moments ago and was about to post it here.  Anyhow.....

    My assessment:  I only have one Win 2k box at home.  For the heck of it, I ran the server and the client on it.  ZAP prompted me after I executed the client, but not the server.  On my WinME box, ZAP prompted me on the server but then the server just died.
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    That's interesting indeed!

    regards.

    paul
     
  4. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    What is also interesting is that NOD32 AMON picked it up immediately, and TDS-3 did not with the 11373 references update.
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    mmm..a big plus for NOD32  ;). Personally, I didn't check having TDS enabled. Question to be answered for DCS..

    regards,

    paul
     
  6. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    Yeah I was quite impressed.  I'm very glad I went with NOD32.  
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Paul? AckCmd is a relatively old demo (2000), it has been detected by TDS since its release -

    Trojan Client\EditServer found: RAT.AckCmd 1.0 (Client)
     File: t:\analyse\ackcmd\ackcmdc.exe

    Positive identification: RAT.AckCmd 1.0
     File: t:\analyse\ackcmd\ackcmds.exe
     
  8. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    Wayne, I have execution protection enabled on my system and when I ran ackcmds.exe and ackcmdc.exe TDS-3 alert me.  Why did it not alert me if it is in the database?
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Not too sure Zhen, I just tested it here and it worked fine. I've just switched you over from Senior Member to Beta Tester at the private DCS forum so you'll be able to access the Beta Test forum there now - feel free to try our new kernel-level execution hook vs AckCmd :)
    There are some strange compatibility issues with the TDS3 execution hook as it uses several Microsoft components that unfortunately aren't friendly on all flavours of Windows at all times. It works fine for most people, but as we aren't in control of those Microsoft components we took the gamble to go into undocumented kernel territory to create our own hook. Mission now accomplished, but the general public won't be able to see it in action until the first release of TDS4/WG4.
     
    As far as "ACK tunneling" goes, despite the age of Arne Vidstrom's report, ACKCmd is still the only demo or trojan that has ever used this technique so it's not something to lose sleep over, but I believe most firewall vendors addressed the issue back then when it was more of an issue, and it's more a firewall issue than an anti-trojan issue - the only thing making it different from any other trojan is how it sends packets on networks, and as such that side of it can only be handled by an IDS or firewall. As far as intercepting its execution before allowing it to execute, yes that's the job of anti-virus/anti-trojan software - execution protection, something which can't be handled by firewalls or IDS :)

    Best,
    Wayne
     
  10. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    Thanks Wayne.. I'll jump into the beta forum tomorrow and try to run some tests.
     
  11. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I downloaded that file, NOD32 crawled all over it. At this point, TDS-3 can't get to it because NOD32 already locked it. Amon would't let me run it at all (caught it in the zip) so it doesn't really matter.

    Regardless of which security program catches a file, it only needs to be caught once. It matters little to me which one it was. I am sure TDS-3 would have found it but I choose to try NOD32 first.

    Point is, this ACK attack sh!t isn't likely to be successful on my machine, not with all this security stuff running.
     
  12. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    Yes, there is only one location I have set that AMON doesn't monitor at all.  It is in the folder I place files like these for special testing.  On another machine, AMON tagged it immediately.  But on my protected directory machine, TDS-3 missed it.

    I'll test later today using the beta.
     
Loading...
Thread Status:
Not open for further replies.