Europe South Asia Asia Pacific Americas Middle East Africa BBC Homepage World Service Education



Front Page

World

UK

UK Politics

Business

Sci/Tech

Health

Education

Sport

Entertainment

Talking Point

In Depth

On Air

Archive
Feedback
Low Graphics
Help

Wednesday, March 24, 1999 Published at 17:52 GMT


Sci/Tech

'Trojan horse' program steals passwords



A free e-mail program called ProMail is stealing users' names and passwords and sending them to an unknown person.

The information allows simple access to the victims' messages.

The recipient is presumably the creator of what is termed a "Trojan horse" virus. A teenager called "David" has claimed responsibility in an e-mail to Ken Williams, who runs Packet Storm Security, a Web security site.

The message was sent from an anonymous address and so cannot be verified.

"I just wanted to increase the public's awareness on the problem of Internet privacy," the "David" character said.

"If a program written by a teenager can be spread SO EASILY over the Net, unchecked, and even be used by the Armed Forces, then something must be wrong.

"But let me assure all you people using ProMail, I did not use, store, sell or do anything with your passwords or other data. And I did not download your mail."

Security implications

In an e-mail earlier this week, Ken Williams said: "The security implications and severity of the situation are truly astounding."

He believes hundreds of thousands of account names and passwords may have been harvested by ProMail. Some in the Net security community think it is the most widely distributed Trojan ever.

ProMail v1.21 has been widely available through major freeware sites such as shareware.com and simtel.net. It has been made available on at least 114 other sites and it is impossible to know when, even if, it will be removed from all sites.

The virus works by gathering the username, password and server name for the 'POP3' system, which transfers e-mail from the server to the user, and then packages the information up and sends it all off in an e-mail.

Ian Whalley, Senior Programmer with UK anti-virus software company Sophos PLC, told BBC News Online: "POP3 is very prevalent these days - it's in use everywhere."

Nightmare problem

"On the face of it, private e-mail is the major problem, as corporations tend not to use POP3. But it's very hard to tell as it is very widely used.

"A Trojan horse in this type of application is new. You could in theory disinfect it, but there are plenty of other e-mail clients out there, so it's best just to get rid of ProMail."

Whalley says wiping ProMail from the Web will be extremely hard: "You could trace all the logs back but it would be a nightmare."

ProMail's creator used open source code for the core program, which works very well. He then inserted the Trojan horse.

The program seems to have been made available around 24 February. The problem was first publicised on the Bugtraq news group on 19 March by Aeon Labs and was confirmed by Pine Security Digest.

Aeon tracked where the password-carrying e-mail messages were sent to - a free web-based account. In the messages already there, they found details of e-mail accounts from Microsoft, the US Army and a video games company

Simtel no longer makes ProMail available. It has also given what information it has about the supplier of ProMail to the FBI, US Army Counterintelligence and Interpol.





Advanced options | Search tips




Back to top | BBC News Home | BBC Homepage | ©


Sci/Tech Contents


Relevant Stories

02 Feb 99 | Sci/Tech
Computer virus sparks fireworks





Internet Links


Sophos PLC

Packet Storm Security

Data Fellows: ProMail

Aeon Labs

Pine Security Digest

Bugtraq


The BBC is not responsible for the content of external internet sites.




In this section

World's smallest transistor

Scientists join forces to study Arctic ozone

Mathematicians crack big puzzle

From Business
The growing threat of internet fraud

Who watches the pilots?

From Health
Cold 'cure' comes one step closer