Intrusion Detection FAQ: A Look at Deep Throat

Updated March 9, 2000

Several reports have mentioned inbound UDP to port 2140. Analyst Matt Scarborough guides us on another look at Deep Throat, a Trojan Horse less glamorous but rivaling Back Orifice. http://www.sohons.com/deept/index.html

Using outbound source port 60000, the DT client sends UDP to port 2140. If successful in finding the DT server (compromised box) the DT client initiates a back door, BO-like remote session using ports 2140 and 3150. The log posted is typical of DT's client/server communication when connecting to a compromised box.

We have seen TCP 6670 and TCP 6671 interspersed amongst large-scale multi-port probes. Versions of DT server listen on ports TCP 6670 or TCP 6671 by default, making them detectable by common TCP port scanners.

If a TCP or UDP probe to one of the high listening ports reaches a DT server, DT phones home using ICQ. Either configured at build, or set by the DT handler during a remote session, DT encodes the ICQ User Identification Number in a DAT file in the %WINDIR%\System directory.

Once activated, either by passage of time or inbound port probe, DT negotiates a connection with wwp.mirabilis.com and notifies its maker by HTTP post:

Flags: 0x00

  Status: 0x00

  Length: 187

  Time: 08:08:12.336000 03/08/2000

Ethernet Header

  Dest: 00:00:00:00:00:00 [0-5]

  Src: 00:00:00:00:00:00 [6-11]

  Type: 08-00 IP [12-13]

IP Header - Internet Protocol Datagram

  Ver: 4 [14 Mask 0xf0]

  HLng: 5 [14 Mask 0xf]

  Prec: 0 [15 Mask 0xe0]

  TOS: %0000 [15 Mask 0x1e]

  Un: %0 [15 Mask 0x1]

  Lng: 169 [16-17]

  Id: 1024 [18-19]

  FrFg: %010 Do Not Fragment [20 Mask 0xe0]

  FrgO: 0 [20-22 Mask 0x1fffff]

  TTL: 128

  Type: 0x06 TCP [23]

  Sum: 0x2ff2 [24-25]

  Src: 00.00.00.00 [26-29]

  Dest: 205.188.147.55 [30-33]

  No Internet Datagram Options

TCP - Transport Control Protocol

  SPrt: 1027 [34-35]

  DPrt: 80 World Wide Web HTTP [36-37]

  Seq: 478158 [38-41]

  Ack: 1160820900 [42-45]

  Off: 5 [46 Mask 0xf0]

  Rsvd: %000000 [46 Mask 0xfc0]

  Code: %011000 Ack Push [47 Mask 0x3f]

  Win: 8576 [48-49]

  Sum: 0x4a34 [50-51]

  Urg: 0 [52-53]

  No TCP Options

HTTP - HyperText Transfer Protocol

  from=DTv3.1&from 66 72 6f 6d 3d 44 54 76 33 2e 31 26 66 72 6f 6d 

  [54-69]

  email=a@a.a&subj 65 6d 61 69 6c 3d 61 40 61 2e 61 26 73 75 62 6a 

  [70-85]

  ect=hi 08:08:11  65 63 74 3d 68 69 20 30 38 3a 30 38 3a 31 31 20 

  [86-101]

  2000-03-08&body= 32 30 30 30 2d 30 33 2d 30 38 26 62 6f 64 79 3d 

  [102-117]

  Hey Master Im Ba 48 65 79 20 4d 61 73 74 65 72 20 49 6d 20 42 61 

  [118-133]

  ck, My Ip is 192 63 6b 2c 20 4d 79 20 49 70 20 69 73 20 31 39 32 

  [134-149]

  .168.1.65 DTv3.1 2e 31 36 38 2e 31 2e 36 35 20 44 54 76 33 2e 31 

  [150-165]

  &to=66816189&sen 26 74 6f 3d 36 36 38 31 36 31 38 39 26 73 65 6e 

  [166-181]

  d                64 [182]

CkSeq: 0x00000000

This results in the BadGuy receiving this ICQ page:

Since source code for DT is available, these ports are changeable. The DT distributor's website includes instructions and wrappers for disguising DT's installation within another Windows executable such as a game.

The significant issue here is that DT can be configured at build to announce its presence instead of waiting for a prober to find it. Alternatively, DT can be configured at build to listen on a port frequently probed by hackers. In either case, DT handlers can passively wait for confirmation that their Trojan is up, running, and waiting for exploitation.

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >

top^

Check Them Out!

SANS training gives me the tools I need to do my job.
-Michael Hiramoto, NCI

Intrusion Detection FAQ: A Look at Deep Throat

Check Them Out!

Latest Whitepapers

Latest Tweets

Contact Us