[Intrusions] New Trojan on the block [CIA Trojan]

Chris Norton kicktd_list at hotmail.com
Sun Aug 29 07:35:05 GMT 2004 

Hello everyone,

After getting infected some how by a new trojan I submitted it to the fine folks at ISC and which it was dubbed Win32/Small.AR and was classified as a downloader trojan. Last night I decided to do an analysis of this trojan myself and after following and doing a quick google search for a one of the directories it called up when accessing a website I found the very same site would redirect me to another site in which you could download a new Server/Client trojan like the infamous Sub7. Some of the features of this new trojan are taken from the readme and will be shown at the end of this message. I have created the following snort rule to help detect any connections in or out from the trojan or it's server:

alert ip any any -> any any (msg:"Possible CIA trojan activity"; content:"CIA 1."; content:"pass"; classtype:trojan-activity; sid:5000825; rev:1;)

If anyone wants to make a better snort rule you are more than welcome to. As of this writing there are no known AV signatures available to detect this new trojan and there have been over 2,800 downloads from the website so this trojan is being used in the wild currently.

["Features" taken from the readme]
Capture Screen/Webcam/Windows with greyscale jpeg's 
Improved CGI/PHP logging system ( logs country , Webcam & Operating System - Check Loggers Directory )
Server is Semi-Polymorhic sometimes only 7% The same signature ( packed with upx )
Dos Shell ( capture the output of remote commands )
Detailed Connection Monitor
Grab Yahoo passwords in password recovery
Dont Send Notify's if Detects LAN ( 192.*.*.* )
Detect Server Connection ( Modem / Lan / Proxy )
Get More Paths In Information
Get Sound Card Driver in Info
Get Drivers Info
Cd Keys Updates ( Thx 2 Death-Wish who did all the hard work )
Delete Files By Path ( File Manager )
Enumerate Registry keys
Added a webdloader ( download on install or control from client )
Get Recently opened media files
Get recently searched files
Get recently Opened files
Get Recnetly Run Files
Disable Command Prompt
Enable Command Prompt
Disable System Restore
Enable System Restore
Disable Task Manager
Enable Task Manager
Disable Registry Editor
Enable Registry Editor
Disable System Restore
Disable Command Prompt

More information about the Intrusions mailing list