Using Argus or tcpdump to detect Pretty Park trojan
H Morrow Long
morrow.long at yale.edu
Wed Mar 1 10:50:08 EST 2000
Note that there is a new version of Pretty Park. I noticed a short
notice of such when checking out the Symantec/Norton A/V site yesterday
to re-read the PrettyPark description and noticed that Norton
had updated a KnowledgeBase blurb (though not the SARC
Encyclopedia entry) on PP on 2/26 and recommendes that
everyone download the latest NAV sig/dat file update :
http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999100815452606&src=hot
http://www.symantec.com/techsupp/nav/tech_hottopics_nav4-nt.html
I have also received a report of a new recent incident of PrettyPark.
- H. Morrow Long
Yale University Information Security Officer
Russell Fulton wrote:
> HI All,
> I am posting this to both unisog and argus lists, apologies to
> those of you who get two copies.
>
> There has recently been some discussion on the Security Focus Incidents
> list about perceived recent increase in Pretty Park (PP) infections.
> PP is a trojan and a good description can be found at:
>
> http://europe.datafellows.com/v-descs/prettyp.htm
>
> One characteristic of PP is that infected machines try an contact
> various IRC servers so I ran an filter over our Argus logs for February
> dumping all traffic to these servers (see web page for full list of
> servers). I found several machines regularly trying these servers and
> also that some of these server are no longer active. I have since
> confirmed that these machine are infected with PP.
>
> So I have constructed a filter that will work with argus or tcpdump to
> look for connection attempts to these non active servers. Any machines
> triggering these filters have a high chance of being infected by PP.
> If they keep on triggering it then they are almost certainly infected.
>
> tcp and dst port ircd and (
> host irc.twiny.net
> or host irc.grolier.net
> or host irc.club-internet.fr
> or host irc.emn.fr
> or host irc.insat.com
> or host irc.ncal.verio.net
> or host irc.skybel.net
> or host irc.easynet.co.uk
> )
>
> There is also some evidence that what we are seeing is a new strain of
> PP which is not detected by current AV packages. Several of the
> machines infected here were running NAV with recent definitions.
>
> Cheers, Russell
More information about the argus
mailing list