New Breed of Trojan Raises Security Concerns

Discussion in 'other security issues & news' started by spy1, Jun 17, 2003.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    From this article: http://www.eweek.com/article2/0,3959,1126743,00.asp


    By Dennis Fisher

    "Security researchers believe they have identified a new breed of Trojan horse that is infecting machines on the Internet, possibly in preparation for a larger coordinated attack.
    However, experts have been unable to pin down many of the details of the program's behavior and are unsure how many machines might be compromised by the Trojan.

    The program scans random IP addresses and sends a probe in the form of a TCP SYN request with a window size that is always 55808. Infected hosts listen promiscuously for packets with certain identifying characteristics, including that specific window size. Experts believe that other fields within the packet's header probably give the infected host information on the IP address of the controlling host and what port to contact the host on.


    The Trojan is also capable of spoofing the source IP addresses for the packets it sends, making it much more difficult for researchers to track infected hosts. The program appears to scan IP addresses at a rate that enables it to scan about 90 percent of the IP addresses on the Internet in 24 hours, according to officials at Lancope Inc., an Atlanta-based security vendor. The company has seen the new Trojan on its own honeynet and has also observed it on the network at a university.

    The company said it was alerted to the existence of the Trojan by an employee at a defense contractor and later notified both the FBI and the CERT Coordination Center. A spokesman for the FBI confirmed that the bureau was aware of the issue, but said there was little it could do unless there's an incident.

    "Until something happens, the FBI is on the sidelines on this one," said Bill Murray, spokesman for the FBI in Washington. "There's not really anything to investigate."

    Unlike typical Trojans, the new program does not have a controller e-mail address written into the source code. "

    Is this thing for real? Pete
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    If it is real - what do you look for in your firewall logs to show its' existence and attempts? Pete
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey spy1,

    There have been numerous posts on the Security Focus "Incidents" listserv but I haven't had time to really read through them.

    Anyone wanting to go over them, the original post/thread was

    "Help with an odd log file..."

    which subsequently diverged into an additional thread

    "Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)"

    Either way, if you go to

    http://www.securityfocus.com/search

    and search the site for

    Help with an odd log file

    you will see all the posts in both threads

    I haven't yet seen any analyses at incidents.org or NIPC
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Spy1,

    regarding detection/logging. I don't know if it would be detectable unless you have an IDS on your periphery (or possibly ngrep?). Still trying to catch up on the thread. :)
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you, sir! Pete

    *Last time I checked my periphery, I was completely IDS'less! And, the last time I tried to grep something, things got ugly! :eek: Pete
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    If you have a host firewall you can use ngrep (it originated on *nix but has been ported to Win32. I am running it (now :) )on my OpenBSD Firewall host with the following commandline

    ngrep -x -X -s 1514 DA00

    (the latter argument is "55808" in hex but the only thing that has popped up thus far is return HTTP traffic from various web queries :) (Hmm.. this posting and all subsequent posts will trigger it as well :eek: , I will have to rerun the command, setting an ignore of port 80 packets...
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I got all that right up to the first "(" :eek: Pete
     
  8. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :D lol i think i been hanging around you guys to much i got the jest of this topic lol

    normaly to hightech for me but from what i gather its a real nasty that is imposiable to detect by normal means or behavior

    it dont fit the typical trojan profile so it most likely can easly slip threw firewalls threw ports

    and infected machines behave normaly


    so i gather thers a darker purpose behind this more like a control effort by some group

    just waiting for the right time to attack type thing"

    was that the jest of it?

    or am i way off
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    You got it!

    Congratulations!!!

    You have graduated from the Wilders Security Academy.

    (and it didn't even cost $800)
     
  10. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :Dyeahhpiiiiiiiii I'm no longer a intermediate newb i have reached advance newb lol
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    :: scratching head ::

    So, what's higher than "Major Senior Newbie"? :doubt:

    "Colonel Senior Newbie"?

    :D
     
  12. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :Dlol i love this place top notch security and great people
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Pete,

    http://www.wilderssecurity.com/showthread.php?t=10520

    Regards,

    Pieter
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Also about this one:

    http://www.infoworld.com/article/03/06/20/HNstumbler_1.html

    Regards,

    Pieter
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
Loading...
Thread Status:
Not open for further replies.