Using Argus or tcpdump to detect Pretty Park trojan

H Morrow Long morrow.long at yale.edu
Wed Mar 1 10:50:08 EST 2000 

Note that there is a new version of Pretty Park.  I noticed a short
notice of such when checking out the Symantec/Norton A/V site yesterday
to re-read the PrettyPark description and noticed that Norton
had updated a KnowledgeBase blurb (though not the SARC
Encyclopedia entry) on PP on 2/26 and recommendes that
everyone download the latest NAV sig/dat file update :

http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999100815452606&src=hot

http://www.symantec.com/techsupp/nav/tech_hottopics_nav4-nt.html

I have also received a report of a new recent incident of PrettyPark.

- H. Morrow Long
  Yale University Information Security Officer


Russell Fulton wrote:

> HI All,
>         I am posting this to both unisog and argus lists, apologies to
> those of you who get two copies.
>
> There has recently been some discussion on the Security Focus Incidents
> list about perceived recent increase in Pretty Park (PP) infections.
> PP is a trojan and a good description can be found at:
>
> http://europe.datafellows.com/v-descs/prettyp.htm
>
> One characteristic of PP is that infected machines try an contact
> various IRC servers so I ran an filter over our Argus logs for February
> dumping all traffic to these servers (see web page for full list of
> servers).  I found several machines regularly trying these servers and
> also that some of these server are no longer active.  I have since
> confirmed that these machine are infected with PP.
>
> So I have constructed a filter that will work with argus or tcpdump to
> look for connection attempts to these non active servers.  Any machines
> triggering these filters have a high chance of being infected by PP.
> If they keep on triggering it then they are almost certainly infected.
>
> tcp and dst port ircd and (
>    host         irc.twiny.net
> or host         irc.grolier.net
> or host         irc.club-internet.fr
> or host         irc.emn.fr
> or host         irc.insat.com
> or host         irc.ncal.verio.net
> or host         irc.skybel.net
> or host         irc.easynet.co.uk
> )
>
> There is also some evidence that what we are seeing is a new strain of
> PP which is not detected by current AV packages.  Several of the
> machines infected here were running NAV with recent definitions.
>
> Cheers, Russell

More information about the argus mailing list