Apparent Trojan in Gibson Screen Saver

Status
Not open for further replies.

Goalie

Posts: 613   +2
Recently, Codon4 released a screensaver made to look like the Gibson Supercomputer hacking sequences from the great movie "Hackers." It appears however that this screen saver has an embedded trojan not yet detected by anti-virus scanners. (NAV and McAffee and MircroTrend HouseCall have been tested)

When the file is unzipped and run, it appears to install a file called "csrsc.exe" to your %windows%\system directory, and loads it to be run on startup in the registry. This file then contacts efnet.demon.co.uk and joins the channel #gibson, key gibson in IRC. It is not certain if the filename or Efnet server are hardcoded, or randomly selected, but it is certain that efnet is the server. Efnet sadly has a reputation for not having too innocent of users, but let this not reflect on all of them. ReEdit: See below for more file specs

The connection appears to idle waiting for instructions. Initial exmaination of the file appears to have it as a DDOS utility, but this is not certain. At the time that I and a few friends invaded the channel, the bots were auto-opping on entry. After Soul and I deopped them, and reopped them at some point, they were no longer auto-opping. We are not sure what reason behind this behavior is.

Although the payload may have already been delivered or expired, this connection is unexplained by the producers and undocumented. To do so without explanation is at best sketchy, and in the past has been a bad sign.

The file is available from http://download.com.com/3000-2390-10222112.html?tag=lst-5-4. The producers site is www.codon4.com. If you download the file, exercise standard caution with virus possible files.

Special thanks to Tarkus, Soul, StormBringer, sngx1275, neoblaze, poertner, and Didou (names as in the IRC chanel on starchat) for assisting with research into this matter. The details are sketchy I realize, but I would hope that Techspot could help come up with more.

CNet and McAfee have been contacted in regards to this matter, and have yet to respond. I will update when more information comes available. The #3dspotlight IRC channel appears to be the first to break this news, and certainly any input is welcome. The EfNet IRC channel gets enough traffic to indicate that there may be as many as 500 estimated "infections" right now, with 30 to 50 connecting at a time to the channel.

Edit: File specs- Soul Harvester has graciously provided the following details. 73,728 bytes in size, this file has three IRC functions- connect, join, and op. There are other dwords which appear to be triggers, but they're currently obfuscated beyond our comprehension. Responds to CTCP version requests as MIRC 6.12, which is obviously false. Soul promises to look further into the matter- thanks again!!
 
We've now dubbed this virus "Didou's Backdoor" in honor of the person who posted the link to the "cool screensaver" in IRC. Good news, I got results back from submitting the screensaver to McAffee. It appears the latest Dat file (4.0.4317 1/21/04) scans for it now. I have no idea if it will repair it. if not you have to do three things. Kill the csrsc.exe process in Task Manager, delete the csrsc.exe file in the Windows/System folder and delete the registry key by going to ...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and deleting the csrsc.exe key in the right pane. As far as I'm aware, that's all that is needed.

here's the response from McAfee AVERT

To: "'Tarkus'" <>
Subject: RE: Escalation: 353966 - Found possible virus in screensaver

A.V.E.R.T. Sample Analysis
Issue Number: 353966
Virus Research Engineer: Jaime Wong
Identified: BackDoor-CBT, BackDoor-AVW.dll

AVERT(tm) Labs, Singapore

Thank you for submitting your suspicious file.

Synopsis -

Attached is a file for extra detection, which will be included in a DAT set
4317. A description is currently being written, please keep an eye on
http://vil.nai.com/vil/newly-discovered-viruses.asp
 
Originally posted by Tarkus
We've now dubbed this virus "Didou's Backdoor" in honor of the person who posted the link to the "cool screensaver" in IRC.

Lies, ALL LIES !!!
athlonmp.gif
 
Too bad this thing isn't massively destructive, if it were, this would be huge, "TS members discover global threat"
Oh well, too bad. In any case, its good that at least one AV has labeled it as bad news.



PS: the statement above was a friggin joke, I would never make an intentional statement endorsing damage to a computer or computers through the use of malicious code. Truth is, we don't yet know what that thing does, just what is outlined above

BTW, cnet has yet to respond to any of our reports to them about this, and the screensaver is still listed on their site.
 
i just disassembled that file

absolutely no static imports from any winsock version. there is a WriteFile call in there somewhere but no readfile. no registry references either. what this means is that it's unlikely to be a legit trojan. it doesn't require any internet use at all. i'm not saying it isn't one, i'm saying if it is one they went to a great amount of work to hide it from people like me *i have no intention of actually running the file to debug it and see what it does*. it's possible they dynamically loaded up the functions they'd need to be malicious but not likely.

also i'd like to know where the OP got his information. none of those strings appear in the file at all (possibly encrypted tho) and it most certainly does not add registry entries to run on startup and does not create any exe file ( i decided to run it )

still it probably wouldn't be bad to play it safe but it looks ok to me.
 
Originally posted by filthy_mcnasty
i just disassembled that file

absolutely no static imports from any winsock version. there is a WriteFile call in there somewhere but no readfile. no registry references either. what this means is that it's unlikely to be a legit trojan. it doesn't require any internet use at all. i'm not saying it isn't one, i'm saying if it is one they went to a great amount of work to hide it from people like me *i have no intention of actually running the file to debug it and see what it does*. it's possible they dynamically loaded up the functions they'd need to be malicious but not likely.

also i'd like to know where the OP got his information. none of those strings appear in the file at all (possibly encrypted tho) and it most certainly does not add registry entries to run on startup and does not create any exe file ( i decided to run it )

still it probably wouldn't be bad to play it safe but it looks ok to me.
What are you talking about? what "file" doesn't create what?
I know that at least 4 people in the #3dspotlight IRC channel downloaded and ran that screensaver, after which the csrsc.exe was found on their machines(after Goalie initially found it on his)
Further examination showed the exact things that Goalie outlined in the topic post of this thread.
I don't know what it is you are talking about, but you need to elaborate a bit.

Sounds a bit like you are calling us liars. If that were the case then why would AVERT have added this to the newest McAfee update?
 
I am the first one that worked at hacking that trojan.

It IS a trojan and DOES have an IRC presence. I did not look for registry alteration or anything like that, I was only interested in it's IRC functions, which it does have. I gave Goalie/Tarkus the initial information. Don't call me a liar. That's not nice.
 
i'm not calling you guys liars at all, i'm saying that file isn't created by the version i have and *aside from possible mirc stuff i didn't look for* there is no real "trojan" activity at all here. it's definately not adding itself to my system's registry in any way shape or form.

i'm asking for more info as well. i downloaded from the link in the original post. are you sure those people getting infected downloaded from the same source? or possibly a file someone in irc spread around?
 
Originally posted by filthy_mcnasty
i'm not calling you guys liars at all, i'm saying that file isn't created by the version i have and *aside from possible mirc stuff i didn't look for* there is no real "trojan" activity at all here. it's definately not adding itself to my system's registry in any way shape or form.

i'm asking for more info as well. i downloaded from the link in the original post. are you sure those people getting infected downloaded from the same source? or possibly a file someone in irc spread around?

mirc is a program. It does not have "mirc" functions. It has IRC functions as they pertain to the IRC RFC. It is a trojan in all aspects of the word. It creates an IRC connection to join to a hidden channel on EFNET in which it communicates and op's other infected machines. The trojan itself appears to respond to a trigger to initiate a DDoS attack against a specific IP address.

I know what I'm talking about. It is a trojan in all aspects, as for the danger level to the individual machine it is probably very low. This could easily be a slightly modified version of one of the various other IRC backdoors. I am looking into it further.
 
It would appear that codon4 has changed the file with a clean one. The original file downloaded on the day this first occured(I have a copy if anybody wants to test out their AV updates) does just as outlined in Goalie's post. I also just downloaded the file from codon4 again since Filthy seems to think we are all crazy, and it does not contain the infection.
The first one is grabbed by NAV 03 as soon as I try to install, the second installs without problem and doesn't seem to create any extra files or keys. This is indeed odd because only a few days have passed since discovering this, and both files were downloaded from Codon4 site. The only difference here is a couple of days between downloads.

Edit: 4 of those who were infected with the original downloaded file from codon4 just found hodll.dll(a keylogger) http://research.pestpatrol.com/Search/FileInfoResults.asp?MD5=6335d3e9a54dfc1e81204f57550f2998
This would be the true payload of the file it seems. The other file is simply the means of harvesting the data through the #gibson IRC channel. It seems that nothing detects this keylogger other than PestPatrol. A google search for the file only turned up that link and a bunch of stuff in a language I can't read.
 
I just want to add to Storm's last post that the infected zip is 253 kb and the clean zip is 222 kb. We also found another file dropped by the screensaver which is hodll.dll and is a keylogger. I don't think McAfee got the patch in their 4317 Dat file. I have an Extra.dat they sent me that when installed catches the exe, dll and scr files.


About hodll.dll (thanks Storm and Didou)

http://research.pestpatrol.com/Search/FileInfoResults.asp?MD5=6335d3e9a54dfc1e81204f57550f2998
 
thank you storm =). but for the record i never said you guys were crazy i was just mentioning what i saw on my side.

soul i never said you didn't know what you were talking about *some people really like to make stuff up sometimes*. i simply said that i also know what i'm talking about and the file i downloaded was clean. i'm fully aware of what mirc is but thanks for filling me in just in case. YOU however were the one talking about irc functions not me.

now you all can download a clean version of this screensaver and be happy knowing that it's clean.
 
I don't think you know what you guys are talking about. This looks VERY harmless and low down...even no sign of dos usage. Come on you guys just want to be the next big thing and discover a 'new' massive worm.

I don't think that language is appropriate for TS, please keep it civil,
thank you,
StormBringer
 
*cough*

1. I don't give a damn if I discover the next big thing. If I do, great, otherwise, all I aimed to do was clean up my machine AND WARN OTHERS.

A keylogger in the system is a very large risk. Personally, I do consulting which uses confidential data that quite a few people would love to get their hands on, and this is unacceptable. Any small security thing is a big matter, be it 5, 500, or 5 million computers.

2. Of course there's no sign of dos usage. The program is a IRC/Keylogger, which sits in the background doing nothing until commanded.

3. How much research have you done on this? Have you looked at the infected file, not the clean one that is now available? Have you even gone to efnet to see how many drones remain?

I should have mentioned that about 2 weeks after the first post, the downloadable file was updated with a "clean" one. This may be why you see nothing.

4. For your first post, telling any of the people who have posted here to grow nuts is a rather ballsy thing to do. Seeing as I know at least of 3 of the folks who posted here are seasoned pros, and the others can hold their own in #3ds when we get into the heavy stuff. Might want to survey your audience before being a jerk.
 
I'm a ballsy kinda guy. I have looked at the infected file, it is a screensaver of a GREAT hacking movie that is fully accurate. It has no keylogging capablilites and no where do I see that it sends data out on a upd/tcp connection. I think you just have a grudge against the elite people at codon4.
 
You must be one of those people from Codon4. You also apparently are confusing the screensaver with some other movie.

Any further outbursts in this thread will result in it being locked and possibly the offending party or parties being banned.

Thank you,
StormBringer
 
Heh.. Not your favorite movie Storm?

Rick- Why don't you prove that you're looking at the infected file?? If you're not seeing the extra process, and not seeing the tcp port to efnet, and not seeing the hodll keylogging file, you have the wrong version.
 
Status
Not open for further replies.
Back