Using Argus or tcpdump to detect Pretty Park trojan

John I-Chung Wang jwang at CS.UH.EDU
Wed Mar 1 14:16:02 EST 2000


Hello Russell

Back in December, I noted unusual activity to and from IP address 206.57.24.70
which appeared as if they were web traffic ie.: connections to 80/tcp of that
IP address. When I connected a browser to the suspect port, I got a default
web page that was obviously falsified ie.: rigged to look like an appropriate
error web page but the contact email address was obviously not valid. I went
to the Windows NT machines in the office that were connecting to the site and
updated the McAfee on them and McAfee found the Pretty.worm virus. Removing
the virus stopped the suspicious web traffic.

Sorry, I didn't goat the virus so I don't have an infected floppy for analysis.
At the time, I thought that it was just a regular pretty.worm since McAfee
picked it up, it wasn't till later that I realized it had a different
behaviour and I had already cleaned it by then.

So there's at least one strain of Pretty.worm whose payload mimics a web
connection to circumvent a firewall instead of relaying information via IRC.

You may want to add 80/tcp access to 206.57.24.70 in your list of Pretty Park
activity to check for.

Previously, Russell Fulton said:
> 
> HI All,
> 	I am posting this to both unisog and argus lists, apologies to 
> those of you who get two copies.
> 
> There has recently been some discussion on the Security Focus Incidents 
> list about perceived recent increase in Pretty Park (PP) infections.  
> PP is a trojan and a good description can be found at:
> 
> http://europe.datafellows.com/v-descs/prettyp.htm
> 
> One characteristic of PP is that infected machines try an contact 
> various IRC servers so I ran an filter over our Argus logs for February 
> dumping all traffic to these servers (see web page for full list of 
> servers).  I found several machines regularly trying these servers and 
> also that some of these server are no longer active.  I have since 
> confirmed that these machine are infected with PP.
> 
> So I have constructed a filter that will work with argus or tcpdump to 
> look for connection attempts to these non active servers.  Any machines 
> triggering these filters have a high chance of being infected by PP.  
> If they keep on triggering it then they are almost certainly infected.
> 
> tcp and dst port ircd and (
>    host         irc.twiny.net
> or host         irc.grolier.net
> or host         irc.club-internet.fr
> or host         irc.emn.fr
> or host         irc.insat.com
> or host         irc.ncal.verio.net
> or host         irc.skybel.net
> or host         irc.easynet.co.uk
> )
> 
> There is also some evidence that what we are seeing is a new strain of 
> PP which is not detected by current AV packages.  Several of the 
> machines infected here were running NAV with recent definitions.
> 
> Cheers, Russell
> 
> 


Regards,
John

---
jwang at cs.uh.edu                         Department of Computer Science
                                        University of Houston
                                        Hoffman Hall
                                        Room 501
                                        4800 Calhoun
                                        Houston, TX 77204-3475



More information about the argus mailing list