Need help from all ET tech people. Is this anything significant? This dude is saying he found several "hupigons" at oil giants Shell, and Baker Hughes. I looked up "hupigon" and it's a secret, backdoor entry into a computer system. What's going on here? HBGary Email Viewer greg@hbgary.com Original file: 26865 click here to show this e-mail with HTML markup From: To: Date: Thu, 27 Jan 2011 17:53:02 -0800 Subject: Sandpit click here to show full headers Full headers ----- delivered-to: greg@hbgary.com received: Array return-path: received-spf: pass (google.com: domain of Shane_Shook@mcafee.com designates 67.97.80.206 as permitted sender) client-ip=67.97.80.206; authentication-results: mx.google.com; spf=pass (google.com: domain of Shane_Shook@mcafee.com designates 67.97.80.206 as permitted sender) smtp.mail=Shane_Shook@mcafee.com from: to: date: Thu, 27 Jan 2011 17:53:02 -0800 subject: Sandpit thread-topic: Sandpit thread-index: Acu+jhkvNeRf5BkPSGSL68k4orjHgw== message-id: <381262024ECB3140AF2A78460841A8F703505C1A92@AMERSNCEXMB2.corp.nai.org> accept-language: en-US content-language: en-US x-ms-has-attach: x-ms-tnef-correlator: acceptlanguage: en-US content-type: text/plain; charset="iso-8859-1" content-transfer-encoding: quoted-printable mime-version: 1.0 Attachments: This e-mail does not have any attachments. Hey Greg, not sure if Stu told you but McAfee set up a sandpit to listen for the trojan from the dyndns addresses we have registered. Ryan wrote a listener service for it. I'm transferring the 5 that I know today - cia.selfip.com, bhi.thruhere.net, bakerhughes.thruhere.net, shell.is-a-chef.com, and shell.office-on-the.net I'm really interested to learn about the gray pidgeon code you have. I've got several hupigon detections at BH and Shell and want to figure out if the are related or coincidental. On another note, we now have 3 different versions of the same C&C application (zwshell.exe). 2 of them use the same password, I haven't figured out how to enter the password in the 3rd though. While our first version is c, the others are Delphi and double the size - though the same capabilities and GUI. I can send you samples. I really wish I could find the source code for it - or a published version on the net, it looks so familiar but I can find where I've seen it before. I was thinking I'd come to your office next Friday? - Shane -------------------------- Shane D. Shook, PhD Principal IR Consultant 425.891.5281 Shane.Shook@foundstone.com