April 4, 2001
There are a number of Trojan programs designed to covertly monitor activity on a victim host – typically employing keystroke and screen capture, or simple password stealing on Win95/98/NT OSes. The results are then emailed from the victim host by the Trojan to a specific email account at various intervals. The use of "legitimate," outbound high-volume traffic (in this instance email) to send out data from the victim host, can represent quite a challenge to traditional network-based intrusion detection. To address this type of attack, a layered approach --integrating host-based and network-based intrusion detection systems – offers the best solution for detection.
Review of Three Covert Monitoring Programs
The following is an overview of three programs that use email to surreptitiously extract information from victim hosts. A brief description of the programs, and sample output (sniffer and email) are provided below. All three programs are written to exploit MS Windows 95/98. The traffic was generated on a test network using an Infradig Mailserver (POP3) for delivery, with no DNS support. Traffic was captured by Snort in sniffer mode (-v & -d options). Additionally, recommended Snort rule sets are provided to detect on specific signatures found in traffic generated by these programs. Depending on the traffic load and positioning of the Snort sensor, monitoring port 25 may prove impractical. This fact lends support to the premise of this paper.
The use of email to transmit the covert monitoring of individual computers continues to present a challenge to traditional network-based intrusion detection systems, particularly those deployed in a medium to large enterprise. I could find no specific CVE for this form of attack. The closest was a candidate CVE: CAN-1999-0660 "A hacker utility or Trojan Horse installed on a system…" Also, SANS published a paper regarding the ports often associated with Trojan programs. Although the Trojans Barok and Sesame are not listed in this paper, port 25 (SMTP) is listed as used by Kuang2 and a few other Trojans.
Given the difficulty of detecting this activity using conventional intrusion detection means, the most logical solution seems to be a layered approach that uses network-based and host-based (more specifically, workstation-based) intrusion detection. Fortunately, anti-virus software can detect most of these freely available Trojans; however, neither McAfee, nor Norton (at least the 2000 versions I used) detected the Sesame Stealth Emailer. This could be intentional, as Sesame can be used for legitimate security purposes.
Looking specifically at intrusion detection for the individual PC, there are a series of products that provide effective host-based intrusion detection. Those products include BlackIce, ZoneAlarm, and TinyFirewall, to name the more popular ones. For the purpose of examining the effectiveness of this host-based approach, I installed ZoneAlarm on the victim host used in the traces of the three programs above. ZoneAlarm detected the fact that all three programs requested WinSock access on the victim computer when they attempted to mail out their payloads (These detects were made with a ZoneAlarm Internet setting of "High"). Below is an excerpt from a log generated by ZoneAlarm -- detects are in bold print. These detects, as indicated by the type of PE, were requests by processes for WinSock access on the host (victim) OS. SPOOL.EXE is the Barok Trojan. The process "beta" is the Sesame v1.02 program.
ZoneAlarm Basic Logging Client v2.1.44