2 Days Left to Save $400 on SANS Albuquerque 2014

Intrusion Detection FAQ: Detecting Trojan Programs that Use Email to Remotely Monitor Victim Systems

John Garris
April 4, 2001

Premise

There are a number of Trojan programs designed to covertly monitor activity on a victim host – typically employing keystroke and screen capture, or simple password stealing on Win95/98/NT OSes. The results are then emailed from the victim host by the Trojan to a specific email account at various intervals. The use of "legitimate," outbound high-volume traffic (in this instance email) to send out data from the victim host, can represent quite a challenge to traditional network-based intrusion detection. To address this type of attack, a layered approach --integrating host-based and network-based intrusion detection systems – offers the best solution for detection.

Review of Three Covert Monitoring Programs

The following is an overview of three programs that use email to surreptitiously extract information from victim hosts. A brief description of the programs, and sample output (sniffer and email) are provided below. All three programs are written to exploit MS Windows 95/98. The traffic was generated on a test network using an Infradig Mailserver (POP3) for delivery, with no DNS support. Traffic was captured by Snort in sniffer mode (-v & -d options). Additionally, recommended Snort rule sets are provided to detect on specific signatures found in traffic generated by these programs. Depending on the traffic load and positioning of the Snort sensor, monitoring port 25 may prove impractical. This fact lends support to the premise of this paper.
  1. Barok v.1.0


    As outlined in the terse readme.txt file that comes with the download (below) I found on antionline.com, the author "Spyder" claims the program can copy various cached passwords, as well as other information.

    barok v.1.0
    email password sender
    (ras and cache) passwords
    includes phone number, ip address, dns address, win address, etc...

    files:
    server.exe ---->> server (trojan)
    setup.exe ---->> configuration (client)(setup)


    copyright (c) 2000 GRAMMERSoft Group
    by: spyder
    email: spyder@super.net.ph

    Results of DNS (mx) query for super.net.ph. This query indicates the author "Spyder" is using a mail account in the Philippines.

    Querying Mail routing information (mx) for super.net.ph - Mar 17, 2001
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43343
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;; super.net.ph, type = MX, class = IN
    super.net.ph. 0S IN MX 10 casper.super.net.ph.

    Below is an email sent by the Barok Trojan and delivered to its destination email address. The Trojan successfully copied and transmitted hostname, username, and IP address of the victim host – no RAS or cached passwords were available on the victim host for retrieval. For the purpose of developing a Snort rule set to detect this traffic, we’ll key on the "hard-coded" subject line: "PSWRD Sender Trojan."

    Return-Path: <cmorgan@192.168.1.1>
    Received: from preferred.192.168.1.1 ([192.168.1.11]) by 192.168.1.1
    with id 3AB2CCF8.00000135@192.168.1.1; Sat, 17 Mar 2001 02:33:28 GMT
    From: preferred-user@192.168.1.11
    To: cmorgan@192.168.1.1
    Subject: Barok.... PSWRD Sender Trojan
    X-Mailer: Barok... email PSWRD sender--- by: spyder
    Message-ID: <3AB2CCF8.00000135@192.168.1.1>
    Date: Sat, 17 Mar 2001 02:33:28 GMT

    Host: preferred-user
    Username: jg
    IP Address: 192.168.1.11

    RAS Passwords:


    Cache Passwords:

    Snort (in sniffer mode) capture of email traffic generated by Barok (see email above).

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

    03/16-06:29:18.655601 192.168.1.11:1041 -> 192.168.1.1:25
    TCP TTL:128 TOS:0x0 ID:44291 IpLen:20 DgmLen:275 DF
    ***AP*** Seq: 0x455ED3 Ack: 0x50ACDD Win: 0x2117 TcpLen: 20
    54 6F 3A 20 63 6D 6F 72 67 61 6E 40 31 39 32 2E To: cmorgan@192.
    31 36 38 2E 31 2E 31 0D 0A 53 75 62 6A 65 63 74 168.1.1..Subject
    3A 20 42 61 72 6F 6B 2E 2E 2E 2E 20 50 53 57 52 : Barok.... PSWR
    44 20 53 65 6E 64 65 72 20 54 72 6F 6A 61 6E 0D D Sender Trojan.
    0A 58 2D 4D 61 69 6C 65 72 3A 20 42 61 72 6F 6B .X-Mailer: Barok
    2E 2E 2E 20 65 6D 61 69 6C 20 50 53 57 52 44 20 ... email PSWRD
    73 65 6E 64 65 72 2D 2D 2D 20 62 79 3A 20 73 70 sender--- by: sp
    79 64 65 72 0D 0A 0D 0A 48 6F 73 74 3A 20 70 72 yder....Host: pr
    65 66 65 72 72 65 64 2D 75 73 65 72 0D 0A 55 73 eferred-user..Us
    65 72 6E 61 6D 65 3A 20 44 65 66 61 75 6C 74 0D ername: Default.
    0A 49 50 20 41 64 64 72 65 73 73 3A 20 31 39 32 .IP Address: 192
    2E 31 36 38 2E 31 2E 31 31 0D 0A 0A 52 41 53 20 .168.1.11...RAS
    50 61 73 73 77 6F 72 64 73 3A 20 0D 0A 0A 0D 0A Passwords: .....
    43 61 63 68 65 20 50 61 73 73 77 6F 72 64 73 3A Cache Passwords:
    20 0D 0A 0A 0D 0A 0D 0A 2E 0D 0A ..........


    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

    The following is a recommended Snort content rule for detecting this activity. As the author (Marty Roesch) of Snort points out in his HowTo page for writing rules, content detection is computationally expensive, so we key on the string: "PSWR Sender." Intentionally brief to reduce CPU load, but unique enough to limit the number of false alarms.

    $MYHOST.NET 25 -> alert tcp any (content: "PSWR Sender"; msg: "Barok Email Trojan!";)

  2. Kuang2 pSender Full v0.34


    This program has a lighter weight companion called Kuang2 pSender v0.21; but I opted to analyze the "Full" version available at www.11th.co.uk. The author "Weird" claims the program performs keystroke and screen capture and mails the results to a user defined email address. It uses a setup program to define a number of variables, to include the size of the keyboard buffer that triggers the results to be sent via email from the victim host.

    Below is an email sent by the Kuang2 Full Trojan and successfully delivered to its destination email address. The Trojan conducted a combination keystroke and screen capture and transmitted the information via this email. The payload begins with "c:\Trojans\sesame"… and ends with "[Welcome to the SESAME Control Center V1.02]." This email captures part of my keystroke activity, while I was configuring another Trojan named Sesame (addressed in para 3 below). For the purpose of developing a Snort rule set to detect this traffic, we’ll key on the "hard-coded" subject line: "Kuang2 report." Note: TCPDump display of the same information omitted for brevity.

    Return-Path: <victim@192.168.1.2>
    Received: from preferred.192.168.1.1 ([192.168.1.11]) by 192.168.1.1
    with id 3AB2C615.00000084@192.168.1.1; Sat, 17 Mar 2001 02:04:05 GMT
    SUBJECT: Kuang2 report
    FROM: ku@ng.pSender
    Message-ID: <3AB2C615.00000084@192.168.1.1>
    Date: Sat, 17 Mar 2001 02:04:05 GMT

    -----
    c:\Trojans\sesame
    No new directory defined
    Win 95/98 detected
    15000
    c:\Trojans\sesame\history.txt
    cmorgan@192.168.1.1
    spy@bogus.com
    3
    OFF
    >password<
    [Welcome to the SESAME Control Center V1.02]
    ===

    # PREFERRED USER

    The following is a Snort content rule that will detect the signature string in Kuang2 on outbound email from an infected system.

    $MYHOST.NET 25 -> alert tcp any (content: "Kuang2"; msg: "Kuang2 Email Trojan!";)

  3. Sesame v1.02


    Sesame is an interesting program since it does not appear to be innately malicious. However, like many security applications, it can be easily used in a malicious fashion. Since this program monitors changes in a targeted file on the host computer, it could be used to alert a system administrator of changes in key files. The author’s ReadMe.txt file describes this program as a "Stealth Email SMTP Autosender ModulE" (sic) – full text is in Attachment 2. It’s also worth noting Sesame v1.02 does not claim (nor appear to) perform keystroke or screen capture. However, it could very easily be packaged with a small keystroke capture program. If not being used as part of an organization’s security policy, it would be an obvious threat.

    Fortunately for us, as with the examples above, this program (at least the unregistered version) uses a "hard-coded" subject line string in the email it sends. In this instance, the string is "SESAME Email." The payload is always an attachment; specifically the file that you configured it to monitor prior to installation. The Sesame v1.02 setup program allows a user to configure it to send out the targeted file based on a system clock setting, after the file is altered, or after the file grows to a certain size. Our primary concern would be that it could be configured to send out a keystroke log or password file after it reaches a certain size or is altered. The email capture below depicts the transmission of the targeted file "Sensitive.txt" on the victim system.

    X-Registered-To: Peter T. Schmidt Software(PTS)
    Date: Sat, 17 Mar 2001 0:24 -0600
    To: <cmorgan@192.168.1.1>
    From: <spy@bogus.com>
    Subject: < SESAME Email (2) UNREGISTERED >
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="=====_4206312_====="
    Message-ID: <3AB2C9FC.000000E1@192.168.1.1>

    --=====_4206312_=====
    Content-Type: text/plain


    Please see attachment for the file.

    --=====_4206312_=====
    Content-Type: application/octet-stream; name="Sensitive.txt "
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="Sensitive.txt "

    dGhpcyBpcyBhIHRlc3QgdG8gc2VlIGl0IHNl
    c2FtZSBpcyBjYXB0dXJlaW5nbiBteSBzZWNyZXQg …..

    --=====_4206312_=====--
    Snort (in sniffer mode) capture of email traffic generated by Sesame (see email above).

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    03/16-06:23:38.021301 192.168.1.11:1040 -> 192.168.1.1:25
    TCP TTL:128 TOS:0x0 ID:32515 IpLen:20 DgmLen:82 DF
    ***AP*** Seq: 0x40097B Ack: 0x4B56CF Win: 0x211D TcpLen: 20
    53 75 62 6A 65 63 74 3A 20 3C 20 53 45 53 41 4D Subject: < SESAM
    45 20 45 6D 61 69 6C 20 28 32 29 20 55 4E 52 45 E Email (2) UNRE
    47 49 53 54 45 52 45 44 20 3E GISTERED >
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    The following is a Snort content rule that will detect the signature string in Sesame v1.02.

    $MYHOST.NET 25 -> alert tcp any (content: "SESAME Email"; msg: "Sesame Stealth Emailer";)
Conclusion

The use of email to transmit the covert monitoring of individual computers continues to present a challenge to traditional network-based intrusion detection systems, particularly those deployed in a medium to large enterprise. I could find no specific CVE for this form of attack. The closest was a candidate CVE: CAN-1999-0660 "A hacker utility or Trojan Horse installed on a system…" Also, SANS published a paper regarding the ports often associated with Trojan programs. Although the Trojans Barok and Sesame are not listed in this paper, port 25 (SMTP) is listed as used by Kuang2 and a few other Trojans.

Given the difficulty of detecting this activity using conventional intrusion detection means, the most logical solution seems to be a layered approach that uses network-based and host-based (more specifically, workstation-based) intrusion detection. Fortunately, anti-virus software can detect most of these freely available Trojans; however, neither McAfee, nor Norton (at least the 2000 versions I used) detected the Sesame Stealth Emailer. This could be intentional, as Sesame can be used for legitimate security purposes.

Looking specifically at intrusion detection for the individual PC, there are a series of products that provide effective host-based intrusion detection. Those products include BlackIce, ZoneAlarm, and TinyFirewall, to name the more popular ones. For the purpose of examining the effectiveness of this host-based approach, I installed ZoneAlarm on the victim host used in the traces of the three programs above. ZoneAlarm detected the fact that all three programs requested WinSock access on the victim computer when they attempted to mail out their payloads (These detects were made with a ZoneAlarm Internet setting of "High"). Below is an excerpt from a log generated by ZoneAlarm -- detects are in bold print. These detects, as indicated by the type of PE, were requests by processes for WinSock access on the host (victim) OS. SPOOL.EXE is the Barok Trojan. The process "beta" is the Sesame v1.02 program.

ZoneAlarm Basic Logging Client v2.1.44
Windows 98-4.10.1998- -SP

type date time source destination transport
PE,2001/03/15,22:54:27 -6:00 GMT,Outlook Express,192.168.1.1:25,N/A
FWIN,2001/03/24,22:33:54 -6:00 GMT,192.168.1.1:1153,192.168.1.11:23,TCP
FWIN,2001/03/24,22:35:36 -6:00 GMT,192.168.1.1:1165,192.168.1.11:21,TCP
FWIN,2001/03/24,22:36:52 -6:00 GMT,192.168.1.1:1172,192.168.1.11:23,TCP
PE,2001/03/24,22:52:20 -6:00 GMT,Windows Explorer,127.0.0.1:1027,N/A
PE,2001/03/26,00:03:48 -6:00 GMT,SPOOL64.EXE,192.168.1.1:25,N/A
PE,2001/03/26,00:06:57 -6:00 GMT,beta,192.168.1.1:25,N/A
PE,2001/03/26,00:18:14 -6:00 GMT,beta,192.168.1.1:25,N/A
PE,2001/03/26,00:20:12 -6:00 GMT,SPOOL64.EXE,192.168.1.1:25,N/A
PE,2001/03/26,00:38:40 -6:00 GMT,SPOOL64.EXE,192.168.1.1:25,N/A

All these programs had unique signatures that make it possible to detect through content monitoring of outbound network traffic. However, monitoring on a very active port, such as 25, may outstrip the capabilities of many network-based intrusion detection systems. Additionally, subsequent versions of these or similar Trojan programs may allow the user to configure all aspects of the email, thus eliminating the static signatures necessary for traditional network-based intrusion detection.