From: Fred Cohen <fc@all.net>
Subject: New attack on PGP keys with a Word Macro
I just got a look at a Word file (CALIG.DOC) that contains user IDs and
passwords to pornographic sites. In addition to these pointers, it has a
Trojan Horse that finds the user's private PGP key ring and ftp's it to:
209.201.88.110 (codebreakers.org)
user anonymous
password itsme@
directory incoming
binary mode
stored name: NewSecRingFile[0-9][0-9][0-9][0-9]
This Trojan does its job in visual basic and - except for the initial
notice (if enabled) that macros are present - gives no indication of this
function that it performs. I figure the best defense against this is to:
1) Have thousands of users ftp phony files to that IP address
and filename on a regular basis, thus making it impossible to
get any real PGP keys - preferably send valid-looking PGP keys
so they have to waste a lot of time cracking them.
2) Cut off all service for ftp with 209.201.88.110 (codebreakers.org)
- either at the ISP, at your gateway, or at the borders to your country.
3) Prosecute for possession of access devices - with international
cooperation between authorities.
4) Tell your people that this has been done so they will stop looking at
pornography listing files fat chance this will work).
At any rate, I hope that you will take prudent precautions within your
organization against this potential attack on the security of your private
keys.
Fred Cohen & Associates: http://all.net - fc_at_all.net - tel/fax:925-454-0171
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:16:49 1999