http://news.bbc.co.uk/hi/english/sci/tech/newsid_302000/302753.stm
Wednesday, March 24, 1999 Published at 17:52 GMT
Sci/Tech
'Trojan horse' program steals passwords
A free e-mail program called ProMail is stealing users' names and
passwords and sending them to an unknown person.
The information allows simple access to the victims' messages.
The recipient is presumably the creator of what is termed a "Trojan horse"
virus. A teenager called "David" has claimed responsibility in an e-mail
to Ken Williams, who runs Packet Storm Security, a Web security site.
The message was sent from an anonymous address and so cannot be verified.
"I just wanted to increase the public's awareness on the problem of
Internet privacy," the "David" character said.
"If a program written by a teenager can be spread SO EASILY over the Net,
unchecked, and even be used by the Armed Forces, then something must be
wrong.
"But let me assure all you people using ProMail, I did not use, store,
sell or do anything with your passwords or other data. And I did not
download your mail."
Security implications In an e-mail earlier this week, Ken Williams said:
"The security implications and severity of the situation are truly
astounding."
He believes hundreds of thousands of account names and passwords may have
been harvested by ProMail. Some in the Net security community think it is
the most widely distributed Trojan ever.
ProMail v1.21 has been widely available through major freeware sites such
as shareware.com and simtel.net. It has been made available on at least
114 other sites and it is impossible to know when, even if, it will be
removed from all sites.
The virus works by gathering the username, password and server name for
the 'POP3' system, which transfers e-mail from the server to the user, and
then packages the information up and sends it all off in an e-mail.
Ian Whalley, Senior Programmer with UK anti-virus software company Sophos
PLC, told BBC News Online: "POP3 is very prevalent these days - it's in
use everywhere."
Nightmare problem
"On the face of it, private e-mail is the major problem, as corporations
tend not to use POP3. But it's very hard to tell as it is very widely
used.
"A Trojan horse in this type of application is new. You could in theory
disinfect it, but there are plenty of other e-mail clients out there, so
it's best just to get rid of ProMail."
Whalley says wiping ProMail from the Web will be extremely hard: "You
could trace all the logs back but it would be a nightmare."
ProMail's creator used open source code for the core program, which works
very well. He then inserted the Trojan horse.
The program seems to have been made available around 24 February. The
problem was first publicised on the Bugtraq news group on 19 March by Aeon
Labs and was confirmed by Pine Security Digest.
Aeon tracked where the password-carrying e-mail messages were sent to - a
free web-based account. In the messages already there, they found details
of e-mail accounts from Microsoft, the US Army and a video games company
Simtel no longer makes ProMail available. It has also given what
information it has about the supplier of ProMail to the FBI, US Army
Counterintelligence and Interpol.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
Received on Thu Mar 25 09:37:57 1999