Updated March 9, 2000
Several reports have mentioned inbound UDP to port 2140. Analyst Matt Scarborough guides us on another look at Deep Throat, a Trojan Horse less glamorous but rivaling Back Orifice. http://www.sohons.com/deept/index.html
Using outbound source port 60000, the DT client sends UDP to port 2140. If successful in finding the DT server (compromised box) the DT client initiates a back door, BO-like remote session using ports 2140 and 3150. The log posted is typical of DT's client/server communication when connecting to a compromised box.
We have seen TCP 6670 and TCP 6671 interspersed amongst large-scale multi-port probes. Versions of DT server listen on ports TCP 6670 or TCP 6671 by default, making them detectable by common TCP port scanners.
If a TCP or UDP probe to one of the high listening ports reaches a DT server, DT phones home using ICQ. Either configured at build, or set by the DT handler during a remote session, DT encodes the ICQ User Identification Number in a DAT file in the %WINDIR%\System directory.
Once activated, either by passage of time or inbound port probe, DT negotiates a connection with wwp.mirabilis.com and notifies its maker by HTTP post:
This results in the BadGuy receiving this ICQ page:
Since source code for DT is available, these ports are changeable. The DT distributor's website includes instructions and wrappers for disguising DT's installation within another Windows executable such as a game.
The significant issue here is that DT can be configured at build to announce its presence instead of waiting for a prober to find it. Alternatively, DT can be configured at build to listen on a port frequently probed by hackers. In either case, DT handlers can passively wait for confirmation that their Trojan is up, running, and waiting for exploitation.