Phase 0 security advisory - Privacy Software Corporation

Privacy Software Corporation Security Advisory Monday, December 14, 1998 PHASE-0 INTERNET TROJAN HORSE PROGRAM Screenshot of the program they use against your machine. What runs on your machine is completely invisible.

Screenshot of the program they use against your machine. What runs on your machine is completely invisible.

SYNOPSIS:

A programmer known as "Njord of kr0me" has released a Windows95/98/NT trojan horse program named "Phase 0" or "Phase zero." Phase 0 consists of a client program called "Client.exe" which is run on a remote computer to gain access to any computer connected to a TCP/IP network or the internet. An executable server program is required to be installed on the victim's computer to permit the remote site access to the victim's computer in a manner similar to Netbus, Back Orifice and other internet "Remote administration" trojan horses. This program exploits security vulnerabilities in Windows95, Windows98 and Windows NT platforms. Reported delivery modes include transfer through IRC and AOL chat rooms, email file attachments, exploits of security holes in browsers and email programs and physical installation on machines. This program has just surfaced in the United States, but has been growing in use in Europe and Asia. It is NOT widespread at this time but it is expected to be soon.

The server program for the Phase 0 trojan horse can be given any name by the party who places it on the victim's machine which makes it difficult, but not impossible to identify after it has been installed. The server is provided under three filenames consisting of SETUP.EXE, PHASE.EXE and CLIENT.EXE but it will function and place itself into a system using the filename MSGSVR32.EXE, leaving no reference of nor any of the original files installed on the machine.

Privacy Software Corporation's BOClean 2.01 software, designed to detect and defeat trojan horse programs, is fully effective in removing the Phase 0 server regardless of the filename or manner of delivery and, as is the case with other trojans, can also disable this program instantly upon detection. BOClean will also remove the files and registry hooks without the need to disconnect from the internet or reboot the victim's machine. This precludes the risks of registry editing and possible loss of data and permits the victim to remove the program and continue their use of a TCP/IP connection without loss of work or time.

While the server is a completely different design from other trojans, its behaviors are similar as is the means of exploitation of the victim's machine. Where this trojan horse is installed, it is capable of doing serious damage to a machine or the network it's on. Phase 0 is stealthy and does not appear on the task manager's list of running programs.

CAPABILITIES:

The Phase 0 server permits anyone using the Phase 0 "client.exe" client on their end to remotely control the victim's machine. Phase 0 is a risk to all Win32 platforms including Windows95, Windows98 and Windows NT. It consists of an integrated remote ftp client, a remote file system control, the ability to spawn processes and to manipulate the windows registry. It can be configured to run on any port but the default version is configured to port 555 unless changed by a configuration program included with Phase 0.

Privacy Software Corporation has already received reports of this and similar trojan horse programs from BOClean customers in actual operation on their machines. We quote from the documentation shipped with Phase 0 below verbatim:

FTP UPLOAD tell the server to upload the specified local file via ftp to remote path
FTP DOWNLOAD tell the server to download the specified remote file via ftp to local path
EXECUTE [s|h] execute a file (S=show window, H=hide window)
CHANGE DIRECTORY
LIST DIRECTORY a file mask is required, path is optional (example: D:\WINNT\*.*)
CREATE DIRECTORY
REMOVE DIRECTORY
SHOW CURRENT DIR
COPY FILE
MOVE FILE
RENAME FILE
DELETE FILE
TYPE FILE type the specified text file
HEX TYPE FILE shows an hexadecimal dump of the specified binary or text file
SHOW DIALOG BOX shows the specified message into a dialog box on the server
LOCKUP SERVER locks up the server
TRASH SERVER trashes the server and locks it up
REG CREATE KEY create the specified registry key
REG DELETE KEY deletes the specified registry key
REG DELETE VALUE deletes the specified registry value
REG CHECK KEY determines if a key or a name exists
REG SET CURRENT KEY sets the currently open registry key
REG READ KEY VALUE read the specified key's value
REG WRITE KEY VALUE creates or updates the specified key and associated value
REG LIST KEYS lists available keys in the currently open key
REG LIST VALUES lists available values in the currently open key
TERMINATE SESSION terminates the current session only
UNLOAD SERVER terminates all connections and unloads the server
please note that this is the first public beta of phAse zero, and it is by no means complete. possible future additions: file sharing support, stealth key logging, media player, integrated port and host scanner, plugins, etc.

MANUAL REMOVAL OF PHASE 0 SERVER:

The Phase 0 server will install its program in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key with a string value of "SystemDLL32" with data pointing to the file which was installed IF it is installed without configuration by the perpetrator. A SETUP.EXE program is included with the trojan kit which will allow this to be changed so these names may not be the names you find.

It is necessary to remove the registry subkey first. It will not be possible to remove the program file while the server is running and you may also be prevented from shutting down the computer. A reboot will be required in order to restart the machine without the Phase 0" server being reloaded at which time the file pointed to in the registry can be removed without further risk.

As a result, care should be taken to back up your registry first as well as your programs and files in the event that removal of the registry entry results in damage to your system. Use of Privacy Software Corporation's BOClean 3.01 program will safeguard against this possibility by removing the program and its registry entries automatically without risk of damage, or the need to disconnect the infected machine or reboot.

COPYRIGHTED MATERIAL:

Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.

Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.

Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com, email to technology@privsoft.com. Copies of the Phase 0 distribution as captured by Privacy Software Corporation will only be provided to recognized security interests and responsible, recognized members of the press with the technical capability to conduct independent research on this trojan horse program or in the alternative, we will provide the URL where the programs can be obtained independently. Copies will NOT be provided by us to any other parties. Privacy Software Corporation reserves the right to refuse transmission without further explanation. Under the provisions of Privacy Software Corporation's customer and website privacy policies, we cannot divulge email from our customers regarding their experiences with these trojan horse programs nor can we divulge their identities under any circumstances.

TOP