[Dshield] "New" Trojan: DIRT

Sue Young smy at gcmlp.com
Mon Mar 18 16:17:32 GMT 2002


That's a good reason to use Kaspersky anti-virus.  Since they're based in
Moscow and have a lot of international customers, there's less reason for
them to ignore Magic Lantern.

For the record, I'm not actually concerned about Magic Lantern, just Trojans
based on it.  After all, if law enforcement is installing this on the bad
guys'
machines, some of the bad guys are going to figure it out and possibly
find a way to use it for their own benefit.

Sue Young

-----Original Message-----
From: Jonathan G. Lampe [mailto:jonathan at stdnet.com] 
Sent: Friday, March 15, 2002 2:05 PM
To: list at dshield.org
Subject: [Dshield] "New" Trojan: DIRT


DIRT, a program being marketed to law enforcement as a remote key capturer 
and file grabber (http://www.codexdatasystems.com/) has been "released" to 
the public.  (http://www.theregister.co.uk/content/55/24433.html)

Functionally similar to Back Orifice, DIRT was nabbed a few days ago - 
today the same sites which have been mirroring the borrowed software (which 
required a key) also have working versions for download - hence the 
"release" of this little toy.

Most troubling for SysAdmins is the debate brewing over "detectability" of 
DIRT.  Some claim the  codebase of DIRT and the FBI's "Magic Lantern" is 
similar and not by accident 
(http://cryptome.org/dirty-lantern.htm).  Although the major anti-virus 
vendors have said that they will detect and clean Magic Lantern, some 
analysts doubt their sincerity 
(http://netsecurity.about.com/library/weekly/aa121901a.htm, 
http://www.wired.com/news/conflict/0,2100,48648,00.html, 
http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentId=A3
371-2001Nov22&notFound=true). 


In other words, the worry was that an alleged back door set up for use by 
the FBI might be exploited by others misusing Magic Lantern or using tools 
with signatures similar to Magic Lantern - and one of those tools (DIRT) 
may just have entered the wild.

Happy St. Pat's,

- Jonathan Lampe, GSNA, GCIA, etc.  

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list