Several reports have mentioned inbound UDP to port 2140. Analyst Matt Scarborough guides us on another look at Deep Throat, a Trojan Horse less glamorous but rivaling Back Orifice. http://www.sohons.com/deept/index.html
Using outbound source port 60000, the DT client sends UDP to port 2140. If successful in finding the DT server (compromised box) the DT client initiates a back door, BO-like remote session using ports 2140 and 3150. The log posted is typical of DT's client/server communication when connecting to a compromised box.
We have seen TCP 6670 and TCP 6671 interspersed amongst large-scale multi-port probes. Versions of DT server listen on ports TCP 6670 or TCP 6671 by default, making them detectable by common TCP port scanners.
If a TCP or UDP probe to one of the high listening ports reaches a DT server, DT phones home using ICQ. Either configured at build, or set by the DT handler during a remote session, DT encodes the ICQ User Identification Number in a DAT file in the %WINDIR%\System directory.
Once activated, either by passage of time or inbound port probe, DT negotiates a connection with wwp.mirabilis.com and notifies its maker by HTTP post:
Flags: 0x00
Status: 0x00
Length: 187
Time: 08:08:12.336000 03/08/2000
Ethernet Header
Dest: 00:00:00:00:00:00 [0-5]
Src: 00:00:00:00:00:00 [6-11]
Type: 08-00 IP [12-13]
IP Header - Internet Protocol Datagram
Ver: 4 [14 Mask 0xf0]
HLng: 5 [14 Mask 0xf]
Prec: 0 [15 Mask 0xe0]
TOS: %0000 [15 Mask 0x1e]
Un: %0 [15 Mask 0x1]
Lng: 169 [16-17]
Id: 1024 [18-19]
FrFg: %010 Do Not Fragment [20 Mask 0xe0]
FrgO: 0 [20-22 Mask 0x1fffff]
TTL: 128
Type: 0x06 TCP [23]
Sum: 0x2ff2 [24-25]
Src: 00.00.00.00 [26-29]
Dest: 205.188.147.55 [30-33]
No Internet Datagram Options
TCP - Transport Control Protocol
SPrt: 1027 [34-35]
DPrt: 80 World Wide Web HTTP [36-37]
Seq: 478158 [38-41]
Ack: 1160820900 [42-45]
Off: 5 [46 Mask 0xf0]
Rsvd: %000000 [46 Mask 0xfc0]
Code: %011000 Ack Push [47 Mask 0x3f]
Win: 8576 [48-49]
Sum: 0x4a34 [50-51]
Urg: 0 [52-53]
No TCP Options
HTTP - HyperText Transfer Protocol
from=DTv3.1&from 66 72 6f 6d 3d 44 54 76 33 2e 31 26 66 72 6f 6d
[54-69]
email=a@a.a&subj 65 6d 61 69 6c 3d 61 40 61 2e 61 26 73 75 62 6a
[70-85]
ect=hi 08:08:11 65 63 74 3d 68 69 20 30 38 3a 30 38 3a 31 31 20
[86-101]
2000-03-08&body= 32 30 30 30 2d 30 33 2d 30 38 26 62 6f 64 79 3d
[102-117]
Hey Master Im Ba 48 65 79 20 4d 61 73 74 65 72 20 49 6d 20 42 61
[118-133]
ck, My Ip is 192 63 6b 2c 20 4d 79 20 49 70 20 69 73 20 31 39 32
[134-149]
.168.1.65 DTv3.1 2e 31 36 38 2e 31 2e 36 35 20 44 54 76 33 2e 31
[150-165]
&to=66816189&sen 26 74 6f 3d 36 36 38 31 36 31 38 39 26 73 65 6e
[166-181]
d 64 [182]
CkSeq: 0x00000000
This results in the BadGuy receiving this ICQ page:
Since source code for DT is available, these ports are changeable. The DT distributor's website includes instructions and wrappers for disguising DT's installation within another Windows executable such as a game.
The significant issue here is that DT can be configured at build to announce its presence instead of waiting for a prober to find it. Alternatively, DT can be configured at build to listen on a port frequently probed by hackers. In either case, DT handlers can passively wait for confirmation that their Trojan is up, running, and waiting for exploitation.
