April 4, 2001
There are a number of Trojan programs designed to covertly monitor activity on a victim host ‚ typically employing keystroke and screen capture, or simple password stealing on Win95/98/NT OSes. The results are then emailed from the victim host by the Trojan to a specific email account at various intervals. The use of "legitimate," outbound high-volume traffic (in this instance email) to send out data from the victim host, can represent quite a challenge to traditional network-based intrusion detection. To address this type of attack, a layered approach --integrating host-based and network-based intrusion detection systems ‚ offers the best solution for detection.
Review of Three Covert Monitoring Programs
The following is an overview of three programs that use email to surreptitiously extract information from victim hosts. A brief description of the programs, and sample output (sniffer and email) are provided below. All three programs are written to exploit MS Windows 95/98. The traffic was generated on a test network using an Infradig Mailserver (POP3) for delivery, with no DNS support. Traffic was captured by Snort in sniffer mode (-v & -d options). Additionally, recommended Snort rule sets are provided to detect on specific signatures found in traffic generated by these programs. Depending on the traffic load and positioning of the Snort sensor, monitoring port 25 may prove impractical. This fact lends support to the premise of this paper.
As outlined in the terse readme.txt file that comes with the download (below) I found on antionline.com, the author "Spyder" claims the program can copy various cached passwords, as well as other information.
barok v.1.0Results of DNS (mx) query for super.net.ph. This query indicates the author "Spyder" is using a mail account in the Philippines.
email password sender
(ras and cache) passwords
includes phone number, ip address, dns address, win address, etc...
server.exe ---->> server (trojan)
setup.exe ---->> configuration (client)(setup)
copyright (c) 2000 GRAMMERSoft Group
Querying Mail routing information (mx) for super.net.ph - Mar 17, 2001Below is an email sent by the Barok Trojan and delivered to its destination email address. The Trojan successfully copied and transmitted hostname, username, and IP address of the victim host ‚ no RAS or cached passwords were available on the victim host for retrieval. For the purpose of developing a Snort rule set to detect this traffic, we‚ll key on the "hard-coded" subject line: "PSWRD Sender Trojan."
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43343
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; super.net.ph, type = MX, class = IN
super.net.ph. 0S IN MX 10 casper.super.net.ph.
Return-Path: <firstname.lastname@example.org>The following is a recommended Snort content rule for detecting this activity. As the author (Marty Roesch) of Snort points out in his HowTo page for writing rules, content detection is computationally expensive, so we key on the string: "PSWR Sender." Intentionally brief to reduce CPU load, but unique enough to limit the number of false alarms.
Received: from preferred.192.168.1.1 ([192.168.1.11]) by 192.168.1.1
with id 3AB2CCF8.email@example.com; Sat, 17 Mar 2001 02:33:28 GMT
Subject: Barok.... PSWRD Sender Trojan
X-Mailer: Barok... email PSWRD sender--- by: spyder
Date: Sat, 17 Mar 2001 02:33:28 GMT
IP Address: 192.168.1.11
Snort (in sniffer mode) capture of email traffic generated by Barok (see email above).
03/16-06:29:18.655601 192.168.1.11:1041 -> 192.168.1.1:25
TCP TTL:128 TOS:0x0 ID:44291 IpLen:20 DgmLen:275 DF
***AP*** Seq: 0x455ED3 Ack: 0x50ACDD Win: 0x2117 TcpLen: 20
54 6F 3A 20 63 6D 6F 72 67 61 6E 40 31 39 32 2E To: cmorgan@192.
31 36 38 2E 31 2E 31 0D 0A 53 75 62 6A 65 63 74 168.1.1..Subject
3A 20 42 61 72 6F 6B 2E 2E 2E 2E 20 50 53 57 52 : Barok.... PSWR
44 20 53 65 6E 64 65 72 20 54 72 6F 6A 61 6E 0D D Sender Trojan.
0A 58 2D 4D 61 69 6C 65 72 3A 20 42 61 72 6F 6B .X-Mailer: Barok
2E 2E 2E 20 65 6D 61 69 6C 20 50 53 57 52 44 20 ... email PSWRD
73 65 6E 64 65 72 2D 2D 2D 20 62 79 3A 20 73 70 sender--- by: sp
79 64 65 72 0D 0A 0D 0A 48 6F 73 74 3A 20 70 72 yder....Host: pr
65 66 65 72 72 65 64 2D 75 73 65 72 0D 0A 55 73 eferred-user..Us
65 72 6E 61 6D 65 3A 20 44 65 66 61 75 6C 74 0D ername: Default.
0A 49 50 20 41 64 64 72 65 73 73 3A 20 31 39 32 .IP Address: 192
2E 31 36 38 2E 31 2E 31 31 0D 0A 0A 52 41 53 20 .168.1.11...RAS
50 61 73 73 77 6F 72 64 73 3A 20 0D 0A 0A 0D 0A Passwords: .....
43 61 63 68 65 20 50 61 73 73 77 6F 72 64 73 3A Cache Passwords:
20 0D 0A 0A 0D 0A 0D 0A 2E 0D 0A ..........
$MYHOST.NET 25 -> alert tcp any (content: "PSWR Sender"; msg: "Barok Email Trojan!";)
Kuang2 pSender Full v0.34
This program has a lighter weight companion called Kuang2 pSender v0.21; but I opted to analyze the "Full" version available at www.11th.co.uk. The author "Weird" claims the program performs keystroke and screen capture and mails the results to a user defined email address. It uses a setup program to define a number of variables, to include the size of the keyboard buffer that triggers the results to be sent via email from the victim host.
Below is an email sent by the Kuang2 Full Trojan and successfully delivered to its destination email address. The Trojan conducted a combination keystroke and screen capture and transmitted the information via this email. The payload begins with "c:\Trojans\sesame"‚¶ and ends with "[Welcome to the SESAME Control Center V1.02]." This email captures part of my keystroke activity, while I was configuring another Trojan named Sesame (addressed in para 3 below). For the purpose of developing a Snort rule set to detect this traffic, we‚ll key on the "hard-coded" subject line: "Kuang2 report." Note: TCPDump display of the same information omitted for brevity.
Return-Path: <firstname.lastname@example.org>The following is a Snort content rule that will detect the signature string in Kuang2 on outbound email from an infected system.
Received: from preferred.192.168.1.1 ([192.168.1.11]) by 192.168.1.1
with id 3AB2C615.email@example.com; Sat, 17 Mar 2001 02:04:05 GMT
SUBJECT: Kuang2 report
Date: Sat, 17 Mar 2001 02:04:05 GMT
No new directory defined
Win 95/98 detected
[Welcome to the SESAME Control Center V1.02]
# PREFERRED USER
$MYHOST.NET 25 -> alert tcp any (content: "Kuang2"; msg: "Kuang2 Email Trojan!";)
Sesame is an interesting program since it does not appear to be innately malicious. However, like many security applications, it can be easily used in a malicious fashion. Since this program monitors changes in a targeted file on the host computer, it could be used to alert a system administrator of changes in key files. The author‚s ReadMe.txt file describes this program as a "Stealth Email SMTP Autosender ModulE" (sic) ‚ full text is in Attachment 2. It‚s also worth noting Sesame v1.02 does not claim (nor appear to) perform keystroke or screen capture. However, it could very easily be packaged with a small keystroke capture program. If not being used as part of an organization‚s security policy, it would be an obvious threat.
Fortunately for us, as with the examples above, this program (at least the unregistered version) uses a "hard-coded" subject line string in the email it sends. In this instance, the string is "SESAME Email." The payload is always an attachment; specifically the file that you configured it to monitor prior to installation. The Sesame v1.02 setup program allows a user to configure it to send out the targeted file based on a system clock setting, after the file is altered, or after the file grows to a certain size. Our primary concern would be that it could be configured to send out a keystroke log or password file after it reaches a certain size or is altered. The email capture below depicts the transmission of the targeted file "Sensitive.txt" on the victim system.
X-Registered-To: Peter T. Schmidt Software(PTS)The following is a Snort content rule that will detect the signature string in Sesame v1.02.
Date: Sat, 17 Mar 2001 0:24 -0600
Subject: < SESAME Email (2) UNREGISTERED >
Content-Type: multipart/mixed; boundary="=====_4206312_====="
Please see attachment for the file.
Content-Type: application/octet-stream; name="Sensitive.txt "
Content-Disposition: attachment; filename="Sensitive.txt "
Snort (in sniffer mode) capture of email traffic generated by Sesame (see email above).
03/16-06:23:38.021301 192.168.1.11:1040 -> 192.168.1.1:25
TCP TTL:128 TOS:0x0 ID:32515 IpLen:20 DgmLen:82 DF
***AP*** Seq: 0x40097B Ack: 0x4B56CF Win: 0x211D TcpLen: 20
53 75 62 6A 65 63 74 3A 20 3C 20 53 45 53 41 4D Subject: < SESAM
45 20 45 6D 61 69 6C 20 28 32 29 20 55 4E 52 45 E Email (2) UNRE
47 49 53 54 45 52 45 44 20 3E GISTERED >
$MYHOST.NET 25 -> alert tcp any (content: "SESAME Email"; msg: "Sesame Stealth Emailer";)
The use of email to transmit the covert monitoring of individual computers continues to present a challenge to traditional network-based intrusion detection systems, particularly those deployed in a medium to large enterprise. I could find no specific CVE for this form of attack. The closest was a candidate CVE: CAN-1999-0660 "A hacker utility or Trojan Horse installed on a system‚¶" Also, SANS published a paper regarding the ports often associated with Trojan programs. Although the Trojans Barok and Sesame are not listed in this paper, port 25 (SMTP) is listed as used by Kuang2 and a few other Trojans.
Given the difficulty of detecting this activity using conventional intrusion detection means, the most logical solution seems to be a layered approach that uses network-based and host-based (more specifically, workstation-based) intrusion detection. Fortunately, anti-virus software can detect most of these freely available Trojans; however, neither McAfee, nor Norton (at least the 2000 versions I used) detected the Sesame Stealth Emailer. This could be intentional, as Sesame can be used for legitimate security purposes.
Looking specifically at intrusion detection for the individual PC, there are a series of products that provide effective host-based intrusion detection. Those products include BlackIce, ZoneAlarm, and TinyFirewall, to name the more popular ones. For the purpose of examining the effectiveness of this host-based approach, I installed ZoneAlarm on the victim host used in the traces of the three programs above. ZoneAlarm detected the fact that all three programs requested WinSock access on the victim computer when they attempted to mail out their payloads (These detects were made with a ZoneAlarm Internet setting of "High"). Below is an excerpt from a log generated by ZoneAlarm -- detects are in bold print. These detects, as indicated by the type of PE, were requests by processes for WinSock access on the host (victim) OS. SPOOL.EXE is the Barok Trojan. The process "beta" is the Sesame v1.02 program.
ZoneAlarm Basic Logging Client v2.1.44
Windows 98-4.10.1998- -SP
type date time source destination transport
PE,2001/03/15,22:54:27 -6:00 GMT,Outlook Express,192.168.1.1:25,N/A
FWIN,2001/03/24,22:33:54 -6:00 GMT,192.168.1.1:1153,192.168.1.11:23,TCP
FWIN,2001/03/24,22:35:36 -6:00 GMT,192.168.1.1:1165,192.168.1.11:21,TCP
FWIN,2001/03/24,22:36:52 -6:00 GMT,192.168.1.1:1172,192.168.1.11:23,TCP
PE,2001/03/24,22:52:20 -6:00 GMT,Windows Explorer,127.0.0.1:1027,N/A
PE,2001/03/26,00:03:48 -6:00 GMT,SPOOL64.EXE,192.168.1.1:25,N/A
PE,2001/03/26,00:06:57 -6:00 GMT,beta,192.168.1.1:25,N/A
PE,2001/03/26,00:18:14 -6:00 GMT,beta,192.168.1.1:25,N/A
PE,2001/03/26,00:20:12 -6:00 GMT,SPOOL64.EXE,192.168.1.1:25,N/A
PE,2001/03/26,00:38:40 -6:00 GMT,SPOOL64.EXE,192.168.1.1:25,N/A