Using Argus or tcpdump to detect Pretty Park trojan
Russell Fulton
r.fulton at auckland.ac.nz
Tue Feb 29 17:38:38 EST 2000
HI All,
I am posting this to both unisog and argus lists, apologies to
those of you who get two copies.
There has recently been some discussion on the Security Focus Incidents
list about perceived recent increase in Pretty Park (PP) infections.
PP is a trojan and a good description can be found at:
http://europe.datafellows.com/v-descs/prettyp.htm
One characteristic of PP is that infected machines try an contact
various IRC servers so I ran an filter over our Argus logs for February
dumping all traffic to these servers (see web page for full list of
servers). I found several machines regularly trying these servers and
also that some of these server are no longer active. I have since
confirmed that these machine are infected with PP.
So I have constructed a filter that will work with argus or tcpdump to
look for connection attempts to these non active servers. Any machines
triggering these filters have a high chance of being infected by PP.
If they keep on triggering it then they are almost certainly infected.
tcp and dst port ircd and (
host irc.twiny.net
or host irc.grolier.net
or host irc.club-internet.fr
or host irc.emn.fr
or host irc.insat.com
or host irc.ncal.verio.net
or host irc.skybel.net
or host irc.easynet.co.uk
)
There is also some evidence that what we are seeing is a new strain of
PP which is not detected by current AV packages. Several of the
machines infected here were running NAV with recent definitions.
Cheers, Russell
More information about the argus
mailing list