"RingZero Trojan Program"
October 22, 1999
RingZero demonstrates a new, aggressive reconnaissance
technique that is currently being used to map target systems and could be
used to support malicious activities. Large numbers of government and commercial
sites have seen an unusual amount of network scans coming from multiple origins
in the past two months. This activity involves a windows-based Trojan program
called Ring Zero that is designed to infect client machines without the users'
This Trojan appears to be a remote controlled distributed scanning engine that
is configured to scan ports 80 (common port for World Wide Web), 8080 (common
port for World Wide Web Proxy Services), and 3128 (common squid proxy services)
and send collected IP addresses and open port information to what appears to
be a data collection script running on a machine located at www.rusftpsearch.net .
Its origins are currently unknown, but unconfirmed reports indicate that it
was distributed initially via e-mail, possibly with another program such as
a screen saver or game. Although Ring Zero appears to contain no malicious
code, each infected client machine continues to perform electronic reconnaissance
every time it is turned on.
As cited by NSWC's John Green, this activity reflects a significant advance
in distributed attack technology because of Ring Zero's transmission rate;
dynamic configuration options (may be able to go from scanning to attacking);
and automated result consolidation.
NIPC recommends using the system administration, networking and security (SANS)
Institute published information to block unneeded services as a defense against
the Ring Zero Trojan. If services on ports 80, 8080, and 3128 are used, system
administrator personnel should examine outbound traffic originating from these
ports that are directed to unknown or suspicious sites. The NIPC strongly recommends
that activity of this nature be reported to the appropriate CERT organizations,
information technology security organizations, or the NIPC.