SYNOPSIS:
KAZAAKRYPTON (and similar programs such as IGLOO KAZAA) are the beginning of a new trend in trojan horse backdoors which take advantage of people downloading "cracked" or "free" software, music, or pornography from Kazaa and Kazaa-like file sharing servers on the internet. KAZAAKRYPTON, IGLOO and a few others we have seen in the last few days all share a commonality. These backdoors depend on people downloading an executable file or archive of interest and then end up opening up a hidden backdoor server on their machine which then joins the file sharing networks, serving up more copies of the trojan among whatever files "innocent" users add to the "collection."
Analysis of these new trojans has determined that once initiated, they begin making multiple copies of themselves into a subfolder of the main "Windows" folder on the affected machines. The files produced tend towards 6 new copies of the original trojan per minute, rapidly filling up the hard disk of the victim with deliberately named filenames of differing size. The resizing of the copies and the filenames, often containing names shown above in order to entice downloading, makes it extremely difficult for a Kazaa or similar file sharing host to be able to determine which files are legitimate and which are backdoors. Because of the manner in which antiviruses function, it would also be difficult for a pattern match of files to succeed as the sizings and spacings of the contents of the files containing the backdoor can be unpredictable, and therefore potentially elusive.
On machines which contain KAZAA, the backdoor trojan adds an entry to the registry as follows:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent "Dir6"which points to a folder called:
C:\WINDOWS\User32which contains the multiple copies of the trojan under numerous "interesting names" in order to entice parties visiting the Kazaa server to download the trojan. In our testing, an average of 6 new files were created every minute.
On machines that do NOT contain Kazaa, these backdoors will open port 113 and 30201 and behave LIKE a Kazaa server, setting up shop in the same location in the registry and broadcasting their availability irrespective of whether the "victim" is running a file sharing server or not.
When running, the KAZAAKRYPTON and similar tools utilize tremendous amounts of CPU time, resulting in an obvious slowdown of the victim's computer with rest periods of ten seconds or longer between file creation salvos. Slowing of internet access on broadband systems is also noticeable, especially when the victim is not running Kazaa or similar "file-sharing" software.
Proliferation of this backdoor depends on people with less than the most honest intentions "reaching for the low-hanging fruit" of obtaining paid licensed software for free, the warning signs of suspicious content being "cracked registration keys," "full version downloads of commercial software," "cracked music CD's," and popular gamingware. The filenames of the infected files (as evidenced by the screenshot of a victim machine above) are designed to entrap casual software/music consumers looking for a "freebie."
The KAZAAKRYPTON backdoor creates a process named "CMD32" which is visible in the task manager (Ctrl+Alt+Del) keys and can be stopped, whereupon the copying of more files to the C:\WINDOWS\User32 ceases. However, all files in such folder must be considered suspect and should be destroyed in total, especially if the "User32" folder exists on a machine that doesn't have Kazaa installed.
The IGLOO KAZAA trojan behaves in a similar fashion, but sets up shop in a folder called C:\WINDOWS\Sys32. Same situation, less prolific.
Privacy Software Corporation's BOClean 4.10
software, designed to detect and defeat trojan horse programs, is fully
effective in removing these servers regardless of the filename or manner
of delivery and, as is the case with other trojans, can also disable this
program instantly upon detection. BOClean will also remove the files and
registry hooks without the need to disconnect from the internet or reboot
the victim's machine.
COPYRIGHTED MATERIAL:
Copyright (c) 2003 by Privacy Software Corporation.
Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.
Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.
Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com,
email to technology@privsoft.com.Privacy Software Corporation reserves the right
to refuse transmission without further explanation. Under the provisions
of Privacy Software Corporation's customer and website privacy policies,
we cannot divulge email from our customers regarding their experiences
with these trojan horse programs nor can we divulge their identities under
any circumstances.