2 Days Left to Save $250 on SANS Chicago 2014

Intrusion Detection FAQ: A Look at Deep Throat

Updated March 9, 2000

Several reports have mentioned inbound UDP to port 2140. Analyst Matt Scarborough guides us on another look at Deep Throat, a Trojan Horse less glamorous but rivaling Back Orifice. http://www.sohons.com/deept/index.html

Using outbound source port 60000, the DT client sends UDP to port 2140. If successful in finding the DT server (compromised box) the DT client initiates a back door, BO-like remote session using ports 2140 and 3150. The log posted is typical of DT's client/server communication when connecting to a compromised box.

We have seen TCP 6670 and TCP 6671 interspersed amongst large-scale multi-port probes. Versions of DT server listen on ports TCP 6670 or TCP 6671 by default, making them detectable by common TCP port scanners.

If a TCP or UDP probe to one of the high listening ports reaches a DT server, DT phones home using ICQ. Either configured at build, or set by the DT handler during a remote session, DT encodes the ICQ User Identification Number in a DAT file in the %WINDIR%\System directory.

Once activated, either by passage of time or inbound port probe, DT negotiates a connection with wwp.mirabilis.com and notifies its maker by HTTP post:

Flags: 0x00
  Status: 0x00
  Length: 187
  Time: 08:08:12.336000 03/08/2000
Ethernet Header
  Dest: 00:00:00:00:00:00 [0-5]
  Src: 00:00:00:00:00:00 [6-11]
  Type: 08-00 IP [12-13]
IP Header - Internet Protocol Datagram
  Ver: 4 [14 Mask 0xf0]
  HLng: 5 [14 Mask 0xf]
  Prec: 0 [15 Mask 0xe0]
  TOS: %0000 [15 Mask 0x1e]
  Un: %0 [15 Mask 0x1]
  Lng: 169 [16-17]
  Id: 1024 [18-19]
  FrFg: %010 Do Not Fragment [20 Mask 0xe0]
  FrgO: 0 [20-22 Mask 0x1fffff]
  TTL: 128
  Type: 0x06 TCP [23]
  Sum: 0x2ff2 [24-25]
  Src: 00.00.00.00 [26-29]
  Dest: 205.188.147.55 [30-33]
  No Internet Datagram Options
TCP - Transport Control Protocol
  SPrt: 1027 [34-35]
  DPrt: 80 World Wide Web HTTP [36-37]
  Seq: 478158 [38-41]
  Ack: 1160820900 [42-45]
  Off: 5 [46 Mask 0xf0]
  Rsvd: %000000 [46 Mask 0xfc0]
  Code: %011000 Ack Push [47 Mask 0x3f]
  Win: 8576 [48-49]
  Sum: 0x4a34 [50-51]
  Urg: 0 [52-53]
  No TCP Options
HTTP - HyperText Transfer Protocol
  from=DTv3.1&from 66 72 6f 6d 3d 44 54 76 33 2e 31 26 66 72 6f 6d
  [54-69]
  email=a@a.a&subj 65 6d 61 69 6c 3d 61 40 61 2e 61 26 73 75 62 6a
  [70-85]
  ect=hi 08:08:11  65 63 74 3d 68 69 20 30 38 3a 30 38 3a 31 31 20
  [86-101]
  2000-03-08&body= 32 30 30 30 2d 30 33 2d 30 38 26 62 6f 64 79 3d
  [102-117]
  Hey Master Im Ba 48 65 79 20 4d 61 73 74 65 72 20 49 6d 20 42 61
  [118-133]
  ck, My Ip is 192 63 6b 2c 20 4d 79 20 49 70 20 69 73 20 31 39 32
  [134-149]
  .168.1.65 DTv3.1 2e 31 36 38 2e 31 2e 36 35 20 44 54 76 33 2e 31
  [150-165]
  &to=66816189&sen 26 74 6f 3d 36 36 38 31 36 31 38 39 26 73 65 6e
  [166-181]
  d                64 [182]
CkSeq: 0x00000000

This results in the BadGuy receiving this ICQ page:



Since source code for DT is available, these ports are changeable. The DT distributor's website includes instructions and wrappers for disguising DT's installation within another Windows executable such as a game.

The significant issue here is that DT can be configured at build to announce its presence instead of waiting for a prober to find it. Alternatively, DT can be configured at build to listen on a port frequently probed by hackers. In either case, DT handlers can passively wait for confirmation that their Trojan is up, running, and waiting for exploitation.