Using Argus or tcpdump to detect Pretty Park trojan

Russell Fulton r.fulton at
Tue Feb 29 17:38:38 EST 2000

HI All,
	I am posting this to both unisog and argus lists, apologies to 
those of you who get two copies.

There has recently been some discussion on the Security Focus Incidents 
list about perceived recent increase in Pretty Park (PP) infections.  
PP is a trojan and a good description can be found at:

One characteristic of PP is that infected machines try an contact 
various IRC servers so I ran an filter over our Argus logs for February 
dumping all traffic to these servers (see web page for full list of 
servers).  I found several machines regularly trying these servers and 
also that some of these server are no longer active.  I have since 
confirmed that these machine are infected with PP.

So I have constructed a filter that will work with argus or tcpdump to 
look for connection attempts to these non active servers.  Any machines 
triggering these filters have a high chance of being infected by PP.  
If they keep on triggering it then they are almost certainly infected.

tcp and dst port ircd and (
or host
or host
or host
or host
or host
or host
or host

There is also some evidence that what we are seeing is a new strain of 
PP which is not detected by current AV packages.  Several of the 
machines infected here were running NAV with recent definitions.

Cheers, Russell

More information about the argus mailing list