Invision Trojaned?

General Help Questions and Answers

Moderators: L|B, cryoa, Riamus, XMog

Invision Trojaned?

Postby MiNdErAsR » Wed Jun 25, 2003 2:13 pm

We found a bot channel on our network, and every one of them responds to version with "mIRC v6.03 —I-n-v-i-s-i-o-n—". Has anyone come across this before? Perhaps landing a password? Please email me with details if so, so we can clean these buggers off our network.

TIA
User avatar
MiNdErAsR
Member
Member
 
Posts: 108
Joined: Wed Apr 03, 2002 10:01 pm
Location: New York

Postby [slider] » Thu Jun 26, 2003 9:52 am

small question.
what channel and network is this happening on please?
as we had the same sort of thing a while back.
[slider]
Member
Member
 
Posts: 60
Joined: Tue Jan 14, 2003 3:05 pm

Postby MiNdErAsR » Thu Jun 26, 2003 2:22 pm

The channel is #newbeez, but I'd rather not mention the network for obvious reasons. The channel was keyed too I but never got a password. I simply cleared it (via services) to gain access. Here's an example of what happens...

[17:59:00] Werk97 has joined.
[18:09:05] <Werk97> Hello all
[18:09:07] <Werk97> Man this !#@! is Boring.
[18:09:10] <Werk97> Is anyone here?
[18:09:12] <Werk97> Is anyone here?
[18:09:15] <Werk97> Is anyone here.
[18:09:17] <Werk97> Is anyone here,
[18:09:20] <Werk97> Is anyone here
[18:09:22] <Werk97> Is anyone here
[18:09:25] <Werk97> Is anyone here?
[18:09:28] <Werk97> Is anyone here.
[18:09:30] <Werk97> Is anyone here
[18:09:33] <Werk97> Hmm..... the Afk bug.

It repeats this pattern every 10 minutes.
User avatar
MiNdErAsR
Member
Member
 
Posts: 108
Joined: Wed Apr 03, 2002 10:01 pm
Location: New York

Postby PiersPlowman » Thu Jun 26, 2003 3:17 pm

Hmm,

NOD32 (and I believe McAfee) detect a trojan in one of the dlls

below is from NOD

C:\Program Files\mIRC\Invision\Stdio.dll - IRC.Flood.AK trojan

I had been considering this as a false positive since neither KAV Pro nor TDS-3, nor PestPatrol had noticed anything.

[FWIW, I *STILL* think it is a false positive and unrelated to the above post but I thought it best to throw it out there just in case :)]

HTH,

Piers
PiersPlowman
Member
Member
 
Posts: 4
Joined: Thu Jun 26, 2003 3:11 pm

Just in case...

Postby PiersPlowman » Thu Jun 26, 2003 5:00 pm

In order to help rule out the case for a trojaned default install of Invision I have established a connection to Austnet and am leaving it open while I have my firewall host (a separate host) log all packets to/from anyone on ports 6666 - 6669.

Of course I don't know if this meets the port range allowed on the impacted net and if I know that I can change the tcpdump process accordingly. Any other suggestion on improving the test would be welcome.

Regards,

Piers
PiersPlowman
Member
Member
 
Posts: 4
Joined: Thu Jun 26, 2003 3:11 pm

Postby MiNdErAsR » Thu Jun 26, 2003 5:48 pm

Just to clarify (thread topic can be deceiving), generally speaking I don't believe Invision is trojaned. Just someone may have hacked a copy and could be spreading it where the true version can be obtained. I started this thread with the intention of providing a heads up to Cryo, and to hopefully find someone who may have encountered a similar scenerio with this particular bot. Rather then gline bots all day, (once a password/logon is found) I'd prefer to clean the infected machines so they don't return to our network. The only port our network listens on is 6667 if that's any help.
User avatar
MiNdErAsR
Member
Member
 
Posts: 108
Joined: Wed Apr 03, 2002 10:01 pm
Location: New York

Postby PiersPlowman » Thu Jun 26, 2003 7:14 pm

FWIW,

In the two hour capture session from my perimeter firewall I only captured IRC traffic to three different hosts

In quick succession at launching Invision I had two failed connection attempts, the first to a definite Austnet server (to which network I was wanting to connect) led to a series of SYN / RESET pairs until it went on to the next server which I can't confirm is Austnet's but IS an Australian host (the IP was 203.89.209.20) this was a short sequence of unresponded SYNs and then finally the establishment of the connection with the server I remain connected to.

Just out of curiosity, I ran an ngrep on the capture file for any occurrence of a channel name starting with N (both cases) and found nothing.

Your point is well taken, however, that there may be an odd trojanized version distributed from a non-official mirror. I just wanted to test my setup as I do get those apparent "trojan" alerts on this version. I never saw any strange activity from my laptop but thought I would put it through a more formal test :)

Regards,

Piers
PiersPlowman
Member
Member
 
Posts: 4
Joined: Thu Jun 26, 2003 3:11 pm

Postby PiersPlowman » Fri Jun 27, 2003 9:11 am

one last ;) followup; as of today's definitions NOD32 no longer alerts on stdio.dll
PiersPlowman
Member
Member
 
Posts: 4
Joined: Thu Jun 26, 2003 3:11 pm

invison trojaned

Postby marcus dj 007 » Wed Dec 03, 2003 1:11 pm

marcus dj 007
Member
Member
 
Posts: 2
Joined: Mon Dec 01, 2003 11:16 am

FYI

Postby Riamus » Wed Dec 03, 2003 4:20 pm

User avatar
Riamus
Global Moderator
Global Moderator
 
Posts: 1783
Joined: Fri May 03, 2002 9:01 pm
Location: Massachusetts, USA

A few things to note...

Postby cryoa » Thu Dec 04, 2003 12:29 pm

User avatar
cryoa
Global Moderator
Global Moderator
 
Posts: 474
Joined: Tue Mar 26, 2002 10:01 pm
Location: NA


Return to General Help

Who is online

Users browsing this forum: No registered users and 34 guests