WinSATAN Backdoor/Trojan
by Julio Cesar Hernandez
WinSATAN is described as "A windows port for the security checker tool for
UN*X SATAN". But behind this interesting description is a backdoor
application. The analysis of this Trojan was done by Julio Cesar Hernandez with the
help of Alfonso Lazaro Tellez.
|
The Trojan claims to be an application called WinSATAN. However, none of
the software's only three functions works properly - which means the
software's only intention is to spread the Trojan. WinSATAN connects to
various IRC servers, where the connection remains even when the program is
closed - running in the background without a trace on the system tray or
task manager.
Using Sniffit and TCPDump, I found what WinSATAN sends to the IRC servers.
The message it sends is something like: " Online!. I am . I use Windows 95, my CPU is an Intel Pentium". The message is
sent by a Privmsg to two IRC users called scroll1 and scroll. Both two
users are usually active at those IRC Servers. There's no need to mention
that this exposes the victim's computer to every attack the author of this
Trojan wants to do.
Searching into the code with the help of an Hex editor, we discovered that
the Trojan was written in Delphi and that it has a list of IRC Servers to
connect to. Here it is the list (in no particular order):
irc.stealth.net
irc.webbernet.net
ircnet.sprynet.org
irc.univ-lyon.fr
irc.rus.uni.stuttgart.de
eu.ircnet.org
us.ircnet.org
web.im.tut.fi
The machine infected was running Windows 98, but I have tested the Trojan
on Windows 95 and Windows 3.x and these two platforms are vulnerable as
well. Tested on a Windows NT 4.0 box, it didn't work at all (it uses the
RegisterServiceProcess function which doesn't exist on NT).
So only Windows 9x are vulnerable to this Trojan.
The Trojan runs on startup. It tries to connect to the IRC servers every
few seconds until the user connects to the Internet. When the Trojan
finally manages to connect to an IRC server, it sends the above message.
To run on startup, the Trojan uses a well-known method among Trojans: it
adds a key in the Registry, on
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,
using the apparently innocent name RegisterServiceBackup, that
points to a program called fs-backup.exe that the Trojan copies in
c:\windows. This program is the real Trojan that stays resident on the
victim's box.
To check if you're infected
To determine if the Trojan is running on your machine, type netstat
-an from the command prompt. If you see you are connected to an IRC
Server (and you know you're not running an IRC client), for example,
165.121.1.47:6667, you're in trouble.
Also, check if you have a program called "fs-backup.exe" (about 366 KB) in
the c:\windows directory. If you found it, you are infected - remove it
immediately (if you can't because it is running, do a shutdown to MSDOS
and remove it).
In any case, take some time to check the Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to
search for unusual or strange entries. If you found one called
RegisterServiceBackup you are probably infected. This is a good test to
do, in order to catch other Trojans that may be lurking on your machine.
I have used some well-known Antivirus programs to see if they could detect
the new Trojan. No one did, not even using heuristic methods. I tried
McAfee VirusScan 4.0.3 with heuristic searching and the latest update (6
June 1999), Antiviral Toolkit Pro 3.01.29 with the latest revision (9 June
1999) and the Platinum Panda Antivirus 6.0 with heuristics after an update
on the Internet.
Disinfection
Disinfection couldn't be more simple. Just remove the Registry key that
allows the Trojan to start when Windows starts (named
RegisterServiceBackup, as described above). Restart windows, and now since
the Trojan is not running, you will have no problems removing the file
fs-backup.exe from c:\windows. Remove it - and you are clean!
|