Trojan.Linux.Typot

Discussion in 'malware problems & news' started by Bowserman, Jun 22, 2003.

Thread Status:
Not open for further replies.
  1. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    From Symantec: http://www.symantec.com/avcenter/

    "Trojan.Linux.Typot is a trojan horse affecting Linux systems. It generates TCP packets with a window size of 55808.

    Also Known As: 55808, Stumbler
    Type: Trojan Horse
    Infection Length: variable
    Systems Affected: Linux
    Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX


    Every second, Trojan.Linux.Typot sends a spoofed TCP packet on the network. The source and destination IP addresses of the packet are picked randomly. The packet has some fixed characteristics, including the TCP window size, which is set to 55808.

    Additionally, Trojan.Linux.Typot attempts to sniff network traffic, listening for packet that have a TCP window size of 55808. When such a packet is detected, Trojan.Linux.Typot creates a file called "r" in the current directory.

    Every 24 hours, Trojan.Linux.Typot checks if the file "r" has been created and, if this is the case, it attempts to connect to a fixed IP address (probably a machine controled by the author of the trojan) on port 22/tcp (the SSH port). If the connection succeeds, Trojan.Linux.Typot deletes the file "/tmp/.../a" and exits. The deleted file may be the trojan executable itself.

    Trojan.Linux.Typot is statically linked against the libnet and libpcap libraries that it uses to forge and capture network traffic. It is also encrypted with the cryptelf utility."



    Regards, Jade ;).
     
Thread Status:
Not open for further replies.