Trojan Horse Infests 15,000 Internet Chat Users

Welcome Guest. | Log In| Register | Membership Benefits

October 08, 1998 (5:45 PM EDT)

Trojan Horse Infests 15,000 Internet Chat Users

By Andy Patrizio,

Back Orifice, the controversial hacker tool released in August that exposes Windows 98 machines to remote manipulation over a network, may have found its way onto 15,000 or more computers, thanks to a Trojan horse that was released on the Internet chat network.

The infestation took place on Internet Relay Chat (IRC), a real-time chat network on the Internet. The Trojan horse reached only the computers of users who transferred files on IRC.

The Trojan horse scheme was uncovered by Web page hosting company GeoCities after it received thousands of non-HTTP requests -- coming from something other than a Web browser -- for a single file from its server.

In a one-minute period, GeoCities received 3,522 requests for the "nfo.zip" file, which was in one of its member's directory. GeoCities has been receiving requests for the file since Aug. 18, and the number grew to more than 15,000 until the high traffic caught the company's attention.

Neither GeoCities members or systems were ever endangered, according to a company spokesman. "We've experienced no downtime on our servers and none of our members have been affected," said Bruce Zanca, a spokesman for GeoCities, in Marina del Rey, Calif.

GeoCities would not say if the company knows who or where the file came from, or what steps it is taking to track down the perpetrator. "Suffice it to say, we've got this under control," said Zanca

Although IRC has many channels dedicated to everything from computer games to TV shows, there are also channels with nothing but files to transfer, including pornographic pictures and videos, MP3 music, software, and even movies.

The files are transferred from one person to another or via software programs called "bots," which send files automatically. Bots can serve up hundreds or thousands of files in the course of a day.

When an IRC user requested a file, a bot then sent the Trojan horse along with the requested file. Once the Trojan horse got onto the user's computer, it fetched the nfo.zip file from the GeoCities server.

One tell-tale sign the Trojan horse may be a derivative of Back Orifice is that it uses the same port Back Orifice uses. Also, like Back Orifice, once the computer is infected, a remote user can access and control the computer.

The Internet is a risky place, and taking files from unknown sources is really exposing oneself to risk, said one analyst. "Your behavior while online has a good deal to do with whether good or bad things happen to you," said Jim Balderston, analyst with Zona Research.

Balderston isn't surprised an enterprising hacker has found a newer, more effective way to get Back Orifice onto people's computers. "It's a constantly escalating measure-countermeasure battle," he said. With major anti-virus programs like McAfee VirusScan and Norton Anti-Virus updated to catch Back Orifice, it's important that users keep their anti-virus programs up to date.