Holton & Associates today announced that network managers have been warned to be on the lookout for the first Trojan capable of destroying a firewall, after it was unleashed onto the Internet.
Y3K Rat 1.6 disables well-known firewalls such as BlackIce, McAfee and Network Anti-Virus, allowing the Trojan to attack an undefended network.
Dave Duke, technical director at Cryptic Software, said Y3K Rat 1.6 marked the first of many security-targeted attack tools. "These self-modifying Trojans are becoming harder to detect with current technology," he said.
"Initial research indicates that the software monitors the process list for known security products and, upon discovery, terminates the tasks leaving the system open to attack," he explained. "This also seem
Robert Graham, chief technical officer at Network ICE, said the company was looking at the threat, but wasn`t overly concerned. "It is a new technique that we have to respond to. Virus and Trojan writers are always in a state of an ever-escalating arms race, where vendors like us have to respond to every new technique," he said. "The Trojan cannot terminate our processes when running on a properly secured Windows 2000 system. That is why we recommend Windows 2000 over 98 or Me to our corporate customers," he added.
Duke said that Y3K Rat 1.6 was the most comprehensive, fully featured insider hacking tool he had discovered to date. It has its own .exe wrapping tool to compress and hide the executable content and can even extend itself to avoid detection from hash-based fingerprinting techniques.
On a dial-up system the Trojan does not start the listener service until a network connection is made, hiding the threat from the typical netstat command. Pressing one button in the client tool on a previous version of the Trojan allowed it to hide from Norton`s anti-virus software.
The Trojan is reported to have some unusual features, including the ability to overclock a system`s processor speed causing data corruption, and the ability to write errors to the hard disk to prevent booting even from safe mode.
It can also seek out cached passwords, spy on users and record their screens.
CyberSight uses an internal technique (part of their shape engine) for the detection of wrapped or binded files. CyberSight detected this threat before anyone had ever seen it. Their fingerprint engine as a separate method also detected it.
Share
Holton & Associates is the exclusive and sole distributor in Africa for Command F-Prot Anti-Virus Software, Cryptic Intrusion Detection Software and WinVista Lockdown Security Software, companies that support and focus on good business governance, and are specialists in providing desktop security, management, e-mail and private information encryption and anti-virus software products.
Editorial contacts