Magnus
Administrator
Ad astra per aspera.
Posts: 4105
|
 |
Re: Noob Series Trojans?
« Reply #1 on: Feb 25th, 2002, 5:38pm » |
 Quote  Modify
|
The Noob trojan is malicious HTML code that writes some specially crafted script code to the scripting files of an IRC client called mIRC (IRC is a large text-based chat system with its own servers). This is actually a very general problem with the mIRC client because the author has built powerful scripting capabilities into it. If someone puts some specially crafted code into its scripting files then he can do some pretty nasty things to that user's machine.
The Noob issue can only affect a user if he visits an "infected" HTML page and clicks Yes in the security warning dialog box that pops up which alerts the user that a potentially harmful ActiveX object in the page wishes to execute. Furthermore, the installed malicious scripting commands cannot be exploited by any means unless the user then starts up mIRC and connects to an IRC server.
It would be very possible to add detection in TrojanHunter for the script files, but the problem with mIRC script files is a much larger one because malicious script files can be created in many different ways. I have had thoughts about creating a generic mIRC script file analyzer to protect mIRC users from such scripts but that will not make it into TrojanHunter until version 3.0 at the earliest. Unfortunately I can't elaborate on that technology here, for what I hope are obvious reasons.
In short, the Noob trojan is not a remote access trojan per se but rather a piece of mIRC scripting code. The trojan does not create any Windows executable files nor does it run as a process. The malicious scripting code can only be exploited if the user has the mIRC IRC client installed and it is not possible to exploit it unless a user is connected to an IRC server.
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register