----Forwarded text-------------------------------------------------- Subject: backdoor trojan in ICKill Date: Sun, 7 Jun 1998 19:44:28 -0400 From: Bachrach <bachrach@netreach.net> To: BUGTRAQ@NETSPACE.ORG First off, I'm not 100% sure if this is the apropriate forum for this since it's not really a weakness, but rather a programmer who is putting backdoors into some programs. Then again technically that's an exploits... Oh I don't know. If this is the wrong place then I apologize profusely for the waste of bandwidth and plead ignorance, but here goes: Well, chances are none of you guys have ever used this program, or even heard of it, but there are alot (35,000) of people who have. I originally downloaded it becasue I've been researching a lot of the weaknesses in the ICQ protocol, (which has become easier as time has gone on. :)) Anyway, after you run it, (ICKill), it creates a file in the directory called 1.exe that acts as a fake explorer. 1.exe accesses your regedit database, and copies itself to windows/system. It changes the regedit so that the fake one will run on startup. It acts mostly the same as the normal explorer with one very crucial execption. It contacts a host (I still can't figure out which one), and executes the commands that are embedded within a text file on the computer. Anyone see it yet? Backdoor city. I contacted the author (who left his e-mail address in the readme), and he's the one who explained th backdoor thing. He also told me a few other things that made me write up to this group. He said that he had gotten almost 35,000 different people's systems calling up his computer at one point; essentuially he has backdoors to 35,000 systems accross the globe. When I asked him why he would go through all the trouble to do this he gave me two reasons: 1. IF (and he emphasized the if) he was a hacker he could use a couple of other people's computers as hops when hacking into a system. Kind of nasty for the sysadmin trying to trace a breaking huh? 2. To quote him "And the backdoors can auto-uptade themselves.. so Imagine I can code a virus like backdoor... Whoaaa! This will be like THAT internet worm.." 3. He also said "Imagine also.. 35,000 backdoored (yeah, I reached this number) connections pinging or SYN flooding some server.." Well if anyone out there is using or has ever used ICKill then get rid of it. I have actually set up a page on this to both inform people and explain how to get rid of all traces of the program that I currently am able to at http://members.tripod.com/~hakz/ICQ/index.html That site also has all of the letters I wrote to him and he wrote to me if you want to see the entire things. It's also got some other info I couldn't fit into this message, including all of the mistakes the author made (guess he needed better beta testing). My last question is this: if one person has backdoors into thousands of computer systems, doesn't that pose some sort of risk to the interent community as a whole? There's one person who's been saying that I should notify the FBI about this. As you can see decided to start here first.