Rule: --Sid: 3015-- Summary: This event is generated when an attempt is made to request a connection on port 2000 using the Insane Network 4.0 trojan.-- Impact: If connected, the attacker could remotetly execute a multitude of functions resulting in a full compromise of the victim's machine.--Detailed Information:Insane Network 4.0 uses port 2000 as its default, but -2000, or port 63536, incarnations also exist.Insane Network 4.0 has a number of functions. The following strings are indicative of a particular Insane Network 4.0 attack.Be aware that some versions of Insane Network 4.0 will send their attack strings one letter at a time. For example,to send the bomb command, some versions will send only one letter per packet, resulting in bomb being spelled out in multiple packets.Format: Name of function (Description of what it does *only if necessary*) - string to look forBomb ("Bombs" monitor) - bombSnow (Makes monitor snowy) - snowMelt ("Melts" the screen) - meltReverse (Reverses screen) - reverseCopy File - cp followed by a file name and the destination pathCtrl-Alt-Del (Enable/Disable Ctrl-Alt-Del) - cad -e (for enable) cad -d (for disable)Delete File - rm followed by a file name, including pathFile List - ls followed by directoryFile Sharing (Gets shared file password information) - shareDial-Up Passwords (Get Dial-up password information) - passwdMake Text File - mktextPopup Message - popupRead File - cat followed by a file name, including pathReboot - rebootRegistry Edit - regrunRename File - ren followed by a file and its new nameRun File - exec followed by a file name, including pathShutdown - shutdownTaskbar (Enable/Disable Task Bar) - task -e (for enable) tast -d (for disable)Telnet - telnet--Affected Systems:Windows 95/98/ME/NT/2000--Attack Scenarios: The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise.Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner programto find the IP addresses of victims that have installed the program. Then the attacker enters the IP address, port number (which is assigned to the server program by the attacker: default is 2000), and presses the connect button and he has access to your computer.-- Ease of Attack: Easy. Simply a matter of pressing the connect button once the victim has installed the server.-- False Positives:None known--False Negatives:None known-- Corrective Action: Remove insane network.exe and commands.txtKill insane network.exe in the process listKeep your anti-virus software updated with the latest virus definitions.--Contributors:Original Rule Writer: Ricky Macatee <rmacatee@sourcefire.com> Sourcefire Vulnerability Research Team-- Additional References:http://www.pestpatrol.com/PestInfo/i/insane_network.asp--