What's Behind The Odd Data?

citking writes "CNet is reporting that 'network administrators and security experts continue to search for the cause of an increasing amount of odd data that has been detected on the Internet.' While this has been going on now for a few days and some experts have already declared victory against the 'trojan', others aren't so sure that the real culprit has been identified yet. Other stories can be found here(1) and here(2)."

Shouldn't this be the....

[ReTay]

The âoefrom the incase you thought the Internet is not closely watched dept?â
Heh

Re:increasing amount of odd data that has...

[richy+freeway]

Or Slashdotters posting comments...

Interesting how ISS works...

[evilviper]

Just think, you can cause all the internet security firms to work overtime, just by:

nc /dev/urandom

Re:Interesting how ISS works...

[stonebeat.org]

it is more likely that all of the ISS time and effort go into /dev/null :)

Re:Interesting how ISS works...

[SCY.tSCc.]

> Just think, you can cause all the internet security firms to work overtime, just by:
> nc /dev/urandom

you've just posted an ISS DoS attack :-)

Wintermute

I say it's Wintermute.

Re:Wintermute

[Old+Man+Trouble]

Yep, someone get Case on the case (absolutely horrendous pun intended).

Re:Wintermute

[gacp]

Actually, it's Tux.

Re:Wintermute

Wintermute? Bah! I say Munga Bunga finally released Black Angel! http://www.hackology.com/programs/blackangel/ginfo .shtml

Re:Wintermute

[AndroidCat]

Enh, Case is an anti-hero, or at least a dyspeptic one. I say we need a Hiro Protagonist!

Re:Wintermute

[paganizer]

Oh my god.
My Evil Genius(tm) brother, who dropped out of site from the world in 1988, has finally released his P1(b) worm.
We Are DOOMED! Doomed, I tell you!
But, it should patch quite a few security holes, also.

FREENET=Free speech.

Re:Wintermute

[mink]

Oolcay Itay.

anyone remember....

...whatever happened to the Magic Lantern? could this be it?

"...I don't think it is a serious threat because it's not self-replicating," Meltzer said. "And it hasn't caused serious disruptions to anyone."

Same amount as always

I've been monitoring this for a long time, the amount of odd data is always 50%.

Re:Same amount as always

Not when your parity bit is set to even...

Re:Same amount as always

[SEWilco]

Not when your parity bit is set to even...

The parity bit is the data. The other 50K is just stuff to make the parity have the desired value.

For those too lazy to read the article : )

[arete]

Basically, there's a new trojan, sortof.

It apparently requires being installed by hand by the originator (or someone else, I suppose) But then it makes the machine into an effective zombie for the originator.

It does a good job of hiding the infection - sending out 1000 spoofed addresses for each real one.

It targets linux only, at least so far.

It is apparently trying to map internet connected networks.

Re:For those too lazy to read the article : )

[DoktorTomoe]

Hm, that's a theory. May I ask humbly if there is any proof for it?

Re:For those too lazy to read the article : )

Something's wrong with this theory. I have several thousands of these packets in my logs, but they started to appear back in october. They are directed at many ports (which are closed on my system), but each originator tries several times. Many attempts look like an Edonkey client trying to deliver a message, which is not unusual on a dynamic IP connection where the previous user of an IP apparently used filesharing programs. Either the window-size 55808 isn't that unusual or the "infection" has been around much longer. Another system on a static IP has yet to see even one packet with that window-size. If it's a mapping system, it certainly isn't random. It could be that ??AA-serving companies are looking for "tainted" filesharing clients which they could then ask to reveal more information about the system and their owners by using strange packets for hidden communication with the client. If this is true, the trojan which randomly sends out strange packets is merely a decoy.

Re:For those too lazy to read the article : )

[espo812]

They are directed at many ports (which are closed on my system), but each originator tries several times.

This is consistant with this analysis posted to Bugtraq. They believe it is a distributed port scanner. It has to scan the same host multiple times because it spoofs source addresses, so an infection somewhere on the network of the target has to sniff the results off and then log this back somewhere else.

lol..

[ewithrow]

Has this 'odd data' been corrupted with the evil bit or something?

Re:lol..

[Peterus7]

No, even worse... Inside these 'odd data' packets they found thousands of txt files containing furry slash fanfics.

And they found the true meaning of evil.

What does odd data look like?

[fireboy1919]

prompt> ping www.google.com
PING www.google.com (216.239.33.101): 56 octets data
64 octets from 216.239.33.101: icmp_seq=0 ttl=44 time=90.3 ms
64 octets from 216.239.33.101: icmp_seq=1 ttl=44 time=91.2 ms
64 octets from 216.239.33.101: icmp_seq=2 ttl=44 time=97.4 ms - odd data message "HELP ME! I'M TRAPPED IN THE INTERNET"
64 octets from 216.239.33.101: icmp_seq=2 ttl=44 time=92.8 ms
--- www.google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
May be possessed by lost soul
round-trip min/avg/max = 90.3/90.7/91.2 ms

Re:What does odd data look like?

Its "INTARWEB" you insensitive clod.

Re:What does odd data look like?

Yeah, it's pretty odd how the ICMP sequence number repeated like that. I wonder what could have been responsible.

Re:What does odd data look like?

I think it looks more like

GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+ c:\\ HTTP/1.1

Re:What does odd data look like?

[8tim8]

>odd data message "HELP ME! I'M TRAPPED IN THE INTERNET"

Good lord. Isn't this the sort of thing the Internet Task Force was put together to help? I've never actually seen the task force but with a name like that I imagine they're like a geek version of the Justice League. In fact right now I bet they're sitting around a table at the Hall of TCP/IP, debating what to do next before flying off to rescue that poor, brave soul who is "trapped in the internet."

I sleep better at night knowing we have heroes like that on our side.

Re:What does odd data look like?

I serch serial to LEGO SOCCER MANIA

Please Can you help me?

Leon (email reply leonzawodowiec7@poczta.onet.pl)

Re:What does odd data look like?

[RdsArts]

It's true! Just take a look at this!

The dead have risen and are taking over the net!

Re:What does odd data look like?

[AndroidCat]

It's no stranger than that hex sequence BADF00D that keeps cropping up in MS code.

Re:What does odd data look like?

do you mean anything like DEADBEEF ?

Re:What does odd data look like?

[AndroidCat]

I imagine if you leave DEADBEEF in your code for a few days, it turns into BADF00D.

Re:What does odd data look like?

[Durendal]

Carol Anne honey. Run to the gateway honey. Run to the light Carol Anne!

Re:What does odd data look like?

[SEWilco]

"HELP ME! I'M TRAPPED IN THE INTERNET"

Different hosts get different odd data.
Mine keeps getting "HELP ME! I'M BEING FORCED TO EXAMINE ALL THE TRAFFIC ON THE INTERNET!"

Re:What does odd data look like?

[noselasd]

It is not that uncommon to assigne 0xdeadbeef or similar to
pointers no longer used. It doesn't leave dangling pointers, and can
make debugging more easy.

Re:What does odd data look like?

[AndroidCat]

Exactly, but it does cause a double-take the first time it turns up.

Re:What does odd data look like?

[Lord_Dweomer]

I say it's Lain

Re:What does odd data look like?

[Inthewire]

I miss that guy

Re:What does odd data look like?

[FroMan]

prompt> ping www.google.com
PING www.google.com (216.239.33.101): 56 octets data
64 octets from 216.239.33.101: icmp_seq=0 ttl=44 time=90.3 ms
64 octets from 216.239.33.101: icmp_seq=1 ttl=44 time=91.2 ms
64 octets from 216.239.33.101: icmp_seq=2 ttl=44 time=97.4 ms - odd data message "Neo, follow the white rabbit."
64 octets from 216.239.33.101: icmp_seq=2 ttl=44 time=92.8 ms
--- www.google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
May be possessed by lost soul
round-trip min/avg/max = 90.3/90.7/91.2 ms

Re:What does odd data look like?

[jo42]

Where is the C0DEBABE?

- Neo

Re:What does odd data look like?

[AndroidCat]

I'm afraid C0DEBABE is likely to be an undefined value. Come to think of it, it's just as well. What if you disagreed about something basic in coding? Far better a neo who will be impressed by my large .. coding skills. :^P

Hmmmm....

[Millbuddah]

Could it be the beginnings of Senator Hatche's p2p Destroying scheme? Even though the ip's being queried belong to non-existent sites, I can't help but picture the following paraphrased scene (Note all lines are terribly penned and from year old memory): Darth Hatch: Tell me where the rebels are located your highness. Princess ISP: I've already given you 5 names. I'll never tell you the rest!! Darth Hatch: Then perhaps you'd like a demonstration of the full capabilities of our Pirate Death Star. Princess ISP: Alright, they're at 66.432.2322 And so on and so forth

Re:Hmmmm....

[kaltkalt]

that can be easily tested. Just see if Orin Hatch's congressional website is down ("destroyed"). Since it is one webpage we KNOW is using pirated software, it should be down if this is the case. Then again, congresspeople typically don't pass laws that affect themselves. Section 133(d)(3)(A) of Hatch's bill, burried in the trash, exempts elected officials from having their computers destroyed for pirating software. After all, destroying gov't property, we just can't have that. As for YOUR computer....

Re:Hmmmm....

[JonTurner]

>>Could it be the beginnings of Senator Hatche's p2p Destroying scheme?

Doubtful we could prove it, unless those 1000 "random" IP address can be found to map to porn servers. Still not proof that it's Hatch's work, but at least it would demonstrate a consistent pattern of behaviour!

Re:Hmmmm....

[GMontag]

Section 133(d)(3)(A) of Hatch's bill, burried in the trash, exempts elected officials from having their computers destroyed for pirating software. After all, destroying gov't property, we just can't have that.

If it is truly pirated it is not government property, it is the property of the owner.

However, the Legeslative branch frequently exempts itself from laws uder the seperation of powers issue, prevent the Executive branch from exercising power over them.

This slowed down a bit in the mid-1990's and , curiously, it was the Republicans leading that charge. Predictibly the charge did not last much longer than mounting the horses

Re:Hmmmm....

[jcast]

The computer is the property of whoever owns it, regadless of whether there's unauthorized software on the HD.

Dark data

We all know that the universe is made up of dark matter, so of course the internet is made up of dark data. It all makes sense!

It is SCO

[Usagi_yo]

Probing all the linux systems to get the name and address of everybody running linux. Expect a letter from their lawyers asking for the new Sco/Linux License fee.

Re:It is SCO

[SEWilco]

Probing all the linux systems to get the name and address of everybody running linux. Expect a letter from their lawyers asking for the new Sco/Linux License fee.

They could simply send the letter to every company with more than 100 employees. Some of their tech support staff will be running Linux at work or at home -- thus all that the company is doing is a deriverative work of Unix.

magic lantern?

so it doesn't propagate and relies on that attacker to plant it on a system. once again - could this be the Magic Lantern we heard all about a while ago...

from

http://www.informationweek.com/story/showArticle .j html?articleID=10700645

"One thing is clear: Trojan 55808 is sneakier than previous Trojan horses. It doesn't self-propagate, like a virus or a worm, and requires the attacker to plant it on systems. But it does transmit a lot of network noise designed to throw off cybersleuths attempting to find the IP addresses of infected systems, as well as the address of the Trojan's writer or controller.

"For each machine that is infected, it will throw off 1,000 fake or spoofed IP addresses," Ingevaldson says.

Re:magic lantern?

[kemikalzen]

url is not working

Re:magic lantern?

[moonbender]

Working URL

Actually the original URL is fine, there's just a whitespace character added by ever helpful Slashcode. :)

Re:magic lantern?

[kharchenko]

From the article:

team leader for Internet Security Systems' X-Force R&D unit, says researchers are studying the Trojan--currently dubbed 55808 for its Windows size

Why can't we have savvy journalists ? Why why why!? (*starts tearing what's left of his hair*)

Re:magic lantern?

[David+Gould]

currently dubbed 55808 for its Windows size

I was going to post the same quote and add only: "Sigh."

You beat me to it, so I wasn't going to post at all, but then I noticed that the very same article also says:

The Trojan currently attacks Linux-based systems...

Sigh.

Maybe we are searching into the wrong thing...

[selfsealingstembolt]

Maybe that are residues of testing? Some people writing networking-software maybe just made some debugging runs using data sent over the net and sent out erroneous packets.

Maybe it is some rare case with a seldom occuring situation where the TCP/IP protocol runs mad? I mean, when designing such flexible and autonomous systems sometimes there are things you can't foresee. After decades of online time and rewrites of TCP/IP core parts in combination with the unpredictability of such huge systems it would not surprise me, if that are just packets which emerge every now and then.

Another explanation: the net has gotten critical mass and is becoming conscious....

Just my two cents.....

Re:Maybe we are searching into the wrong thing...

[Ice_Balrog]

>Another explanation: the net has gotten critical mass and is becoming conscious....

Thats it... I'm starting construction on Zion.
Who's with me?

Re:Maybe we are searching into the wrong thing...

[Eric+Ass+Raymond]

Nah... I like the Terminator scenario better.

"Internet begins to learn at a geometric rate. It becomes self-aware at 2:14am Eastern time, August 29th. In a panic, they try to pull the plug. And, the net fights back."

Re:Maybe we are searching into the wrong thing...

Time to brush up on 6502 assembly... We know that the first terminators are built from cannibalized Apple II and Commodore C64 computers, don't we?

Re:Maybe we are searching into the wrong thing...

[Eric+Ass+Raymond]

Yes indeed. 6502 assembler, specifically Apple 2+ assembly, taken from Nibble (QV), a computing magazine. There are also scenes where some COBOL code visible.

Re:Maybe we are searching into the wrong thing...

[LiquidCoooled]

Maybe it is some rare case with a seldom occuring situation where the TCP/IP protocol runs mad?

Its them damn kids playing with Windoze TCP registry settings - remember Windows XP is relatively new and could be interacting strangely with their old windows 9x tools.

Re:Maybe we are searching into the wrong thing...

[ralphclark]

Another explanation: the net has gotten critical mass and is becoming conscious....

Or someone's attempt to produce "a-life" has been more successful than they realized, and these packets are what is being emitted by the virtual society's first "telescopes"...or, maybe we didn't even notice the "telescope" packets at all and these large packets are actually their first "astronauts"...

(shudder)

Re:Maybe we are searching into the wrong thing...

[kir]

WTF are you talking about?

Maybe it's just me in my druken state, but you lost me holmes. I'm guessing a good number of drunk and non-drunk /.ers are thinking the same thing (exempt are those of you who think you are better than the rest of us... you know who you are... fags...). ...or... maybe you're not a native English speaker and I'm a drunk asshole (I had to think of that BTW).

Re:Maybe we are searching into the wrong thing...

yep... it started just before kernel 2.4.21 was released...

Re:Maybe we are searching into the wrong thing...

You're "that guy"
The one who makes all the stupid suggestions and just pisses everyone else off.

Re:Maybe we are searching into the wrong thing...

[mobets]

*lean's in close to his microphone* Jane?

Re:Maybe we are searching into the wrong thing...

[Surak]

Was there ever a COBOL compiler written for the Apple ][ series? I dont' ever remember seeing one. I remember lots of BASIC compilers, a Fortran compiler, a Pascal compiler (not UCSD Pascal, but another system that actually was a compiler), and unless I miss my guess, I think there was an even an educational-use RPG compiler or interpreter for the II+ or //e, but it required that you had an 80 column card. Heh. Remember PR#3? :)

But I don't remember seeing a COBOL compiler. Of course that was many, many years ago and I'm just plain old now, so I probably forgot more about the Apple II than I know now.

Re:Maybe we are searching into the wrong thing...

Another explanation: the net has gotten critical mass and is becoming conscious....

And it has applied for an H-1B just like every other brain on the fricken planet

Re:Maybe we are searching into the wrong thing...

I'll plan the orgy!

Re:Maybe we are searching into the wrong thing...

[Kris_J]

Thats it... I'm starting construction on Zion.
Who's with me?

Insert "Can I hump Trinity?" comment here.

Re:Maybe we are searching into the wrong thing...

[LegallyBrunette]

Construction on Zion is a wonderful idea! Count me in!

Re:Maybe we are searching into the wrong thing...

[El_Froggo]

What is the big deal with Trinity? She's not hot at all. I'm sorry but skin-tight black clothes don't make ugly people hot. That actress is so unattractive, I don't even want know her damn name.

Re:Maybe we are searching into the wrong thing...

[Kris_J]

That actress is so unattractive, I don't even want know her damn name.

Carrie-Anne Moss. And I find her to be quite attractive, even though I'm not usually a fan of short hair. The last character I really felt pulled it off was Amanda from Highlander: The Raven. Mind you, the characters have some similar traits, so maybe I'm attracted to something else.

Re:Maybe we are searching into the wrong thing...

In a panic, they try to pull the plug.

At this point, it's always a good idea to call in Frank Drebin. If he doesn't get the problem solved, I don't know who would.

Wasnt..

[[cx]]

The matrix movie released into newgroups recently?

It is a theory - and I don't have proof (SCO?)

[arete]

But it isn't _my_ theory, it's a theory present in both the cited articles.

The following is my theory, and it is also without proof, but I'll provide some logic at least.

My supposition is that it tries to talk to lots of IPs, spoofed from lots of IPs. And that since it's not self-propagating, it's either 1) wasting time or 2) mapping. 3) doing something we haven't managed to detect.

People don't usually like to give answer 3, answer 1 seems like a silly reason for the author to put in so much work, so we're left with answer 2.

Now, does this mean this mapping is nefarious? Not itself, except that it's being done by someone ok with hacking and apparently skillful. To blatantly rip off another poster, maybe it's SCO trying to find all the linux boxen : )

Re:It is a theory - and I don't have proof (SCO?)

Heh, SCO doesn't need to do that. All of a sudden my boss at my work (I work for an ISP that has all redhat boxes) has gotten many phone calls for survey asking about what kind of servers we run, what OS they use, what they're used for, blah blah bla. That thought crossed my mind that SCO is just getting ready for their 'Big Win' over the Linux community and want a nice list of companies to go after.

jeremy

Re:It is a theory - and I don't have proof (SCO?)

[LinuxGeek8]

it's either
1) wasting time or
2) mapping.
3) doing something we haven't managed to detect.

I'd go for
4) to confuse the Russians.

Re:It is a theory - and I don't have proof (SCO?)

[taxman457f]

Well your theory may be right, but if you read the cnet article, they seem to be a little less sure that ISS has found the real culprit. They also give more details of the code that was found:

"It is very buggy," Ingevaldson [ from ISS ] said. "It didn't even write information to its data file correctly."

That would imply there either is no major skill involved, or it is a decoy.

Re:It is a theory - and I don't have proof (SCO?)

[httptech]

If it is mapping, it's doing a very poor job of it. What many analysts have seen (including myself) is that once it sends a packet to a particular IP address, it will repeat that packet over and over again. 81% of the "odd" traffic I am seeing on a particular class C is the same spoofed source to the same non-existent host on the class C, from the same source port to the same destination port. Over 900 packets since May 18, with that same signature. I don't think it's a mapper.

Re:It is a theory - and I don't have proof (SCO?)

[Lispy]

...or it is in fact Microsoft mapping Linux Servers. ;-)

Re:It is a theory - and I don't have proof (SCO?)

[Inthewire]

Cooled on paper towels and then devoured.

Re:It is a theory - and I don't have proof (SCO?)

[HaggiZ]

In Soviet Russia the Russians confuse YOU! ;)

SCO?

[kamukwam]

Maybe SCO is trying to sue the Internet?

Re:SCO?

No, it's Al Gore. he's suing the internet because it's his invention. And since the internet first started on Unix, Gore 0wnz McBride, but Bush invented the abicus, so Bush 0wnz IBM who is owned by SCO who is owned by gore who ownz the taliban.

it all boils down to terrorists, can't you see it?

Hmmmmm....

[berb]

Is it jusr me, or does this nicely correlate with the launch of Microsoft's search engine...????

Re:Hmmmmm....

[gantrep]

What search engine are you talking about?

A worm called WIN32/VOTE.55808

[stew77]

Probably just as a coincidence, what google returns on 55808:
"A new worm, W32/Vote.A hit the streets yesterday (09/24/01), ..."

According to various virus sites, this worm has a payload site of 55808 bytes and is trying to download a trojan.

Re:A worm called WIN32/VOTE.55808

[PinkX]

I'm afraid you're not paying enough attention here, kid. The 55808 number which the article and news sources refers to is the window-size of the TCP packet header, not the size of the packet itself.

But anyways, thanks for playing.

Re:A worm called WIN32/VOTE.55808

[stew77]

I know it's not the same, I was just playing with the number 55808. People hardly ever chose numbers by random, they rather use phone numbers, birdays, etc. Honestly, who has never written a C function that returns 42? Who knows, maybe it's the ZIP code of the programmer's hometown?

Re:A worm called WIN32/VOTE.55808

Honestly, who has never written a C function that returns 42?

People who are coding serious programs ...

PS: 55808 appears to be Duluth, MN.

Re:A worm called WIN32/VOTE.55808

[Maserati]

It's in Duluth, MN. Could be anything.

Re:A worm called WIN32/VOTE.55808

[cpeterso]

55808 decimal = da00 hex ("day zero")

Some other article mentioned that the ASCII string "Day0" appears in some of the data.

Zealot traffic

[MasonMcD]

I think it's a bunch of Apple fans looking for leaked specs and pics.

Don't worry, the traffic from WWDC will die down in a week or two.

mod parent up!

It really pisses me off when people do that. You look like a dumbass. It isn't clever. I don't even get what statement is being made. Microsoft is greedy? MIcrosoft has lots of money? Microsoft wants money? What? Microsoft is a business dumbasses. Spelling it with a dollar sign doesn't say anything. If you are trying to say something about them being a monopoly, or anti-competitive, think of something clever, and say it once. Don't take someone else's unfunny dig at Microsoft and reuse it yourself a thousand times.

That's all the proof I need

When all else fails, blame Microsoft.

I'm trying to be serious...

[GrodinTierce]

why does this matter? Is a badly written trojan really a big deal? Unless, of course, it's marked with the evil bit.

Tierce

Re:I'm trying to be serious...

It's odd because nobody can seem to figure out where it's coming from.

Interesting

[chendo]

This indirect approach to communicate is very interesting, as it's indirect.

The trojan could broadcast the 'odd data', containing information, and such, while another trojan can listen for weird packets like those, and grab info from them.

As the source cannot be identified easily, it would be very hard to discover the infected computer, and the destination doesn't exist, it's a weird way to communicate.

My two cents.

Re:Interesting

[Edward+Scissorhands]

Yeah, in a sense it's the Internet's version of a "Dead Drop".

"TMD"

henceforth this shall be known as TMD : Traffic of Mass Destruction.

News Flash

[Pflipp]

"The amount of odd data takes about half of the Internet's bandwith, consisting primarily of ones", a representative said. "We're currently trying to find a way to filter this odd data, so that we only have the zeroes left. The capacity effect for the Internet should be huge."

A representative from the WinZip company could confirm that data containing only zeroes can also be compressed at much better ratio's than data containing both ones and zeroes.

Re:News Flash

[kasperd]

We're currently trying to find a way to filter this odd data, so that we only have the zeroes left.

I think a modified Lessiss-Moore algorithm could help.

Why...

[drmofe]

...don't routers just refuse to send on data that comes from a spoofed address? If on the backbone, you see a destination IP that is reserved, just dump the packets.

Re:Why...

If you're a router on "the backbone", you have better things to do than verifying the sender's ip address by taking another look at the routing tables. You're more concerned with getting the packet out of your buffers as fast as you can. If at all, border routers do the filtering.

Re:Why...

[ReTay]

Well maintained routers do that. A responsible network engineer will set three âoegood neighborâ rules into his border routers

1. No packet is allowed out that is not from an internal IP
2. No packet is allowed in that is marked from an internal IP address.
3. All packets with non-routable IPâ(TM)s are dropped
And the following can be considered a good idea.
4. Log any packets that violate the above rules.

However convincing a company that it is necessary to be a good neighbor is another thing altogether. Convincing them that spending time and money to do so can be a uphill battle at best. It is easy to understand when some NE just gives up trying.

Re:Why...

[Eric+Ass+Raymond]

Really?

But isn't that horribly insecure? If the packets are not validated against a database of safe, registered and valid IPs, our entire cyber-infrastructure would be susceptible to attacks by any islamic cyberterrorists from rogue states all around the world!

Re:Why...

[gclef]

As someone else has mentioned, the backbone is a terrible place to do filtering. The backbone has better things to do with its CPU time (like, routing between multiple DS3s, etc). Filtering is best done at the edge, meaning at the point where the customer is actually connected. If you filter there, you should have a good idea of exactly which sources are allowed to exist on this network, and should be able to build very strict filters on a router that isn't seeing massive amounts of traffic.
The problems with this are: 1) it relies on everyone behaving & having a clue. As we've seen with patches, that just doesn't happen. 2) There are all sorts of situations (like customers multi-homing) that make these filters not scale well, so some ISPs just leave them off entirely.
This subject has come up on NANOG about every other month for the past few years. It's not been resolved yet.

Re:Why...

It also breaks asymmetric routing, which is used by satellite internet connections, for example. The upstream is routed through a dial-up ISP, but all traffic has to be sent with an IP address from the satellite ISP's pool to route the downstream through the satellite connection. Satellite ISP customers can only use dialup providers who don't block "spoofed" packets (or they have to tunnel to the satellite ISP, which adds to the already high latency).

Re:Why...

[Ralp]

Funny, I learned a different three "good neighbor" Rules:

1. No router is allowed to injure a human being, or, through inaction, allow a human being to come to harm.
   
2. A router must deliver packets given it by human beings, except where such packets would conflict with the First Rule.
   
3. A router must protect its own existence as long as such protection does not conflict with the First or Second Rules.
   

History repeats

[Zapper]

From the article: '' "I don't think it is a serious threat because it's not self-replicating," Meltzer said. "And it hasn't caused serious disruptions to anyone." ''

Sounds like famous last words to me...

Whatever

[Jesus+IS+the+Devil]

CNuts is reporting that 'janitors and plumbers continue to search for the cause of an increasing amount of old condoms that have been left on public toilets.' While this has been going on now for a few days and some experts have already declared victory against the 'Trojans', others aren't so sure that the real culprit has been identified yet.

What makes them think it's a trojan?

[Myself]

If nobody's ever found an infected machine how can anyone declare this thing anything more than a phenomenon involving strange packets? "trojan" is a pretty narrow definition, and it sounds like it's being misused.

Secondly, all the worry about the 'unallocated' IP space is easy to explain, and here's my theory: The perpetrator has gained control of several core routers, and added routes to them for this address space. Then they've compromised machines (or perhaps are using routines on the routers themselves) to analyze the packets destined for that space.

They're simply scanning the internet for something interesting. The packet length is a clue as to what. Whatever they're looking for will respond strangely to such a packet. When they find it, the response packet goes to the router which would normally toss it in the bitbucket, but because it's now been given a route, the packet is logged for further exploitation.

Re:What makes them think it's a trojan?

It's not about packet length. The TCP window-size is 55808. The packets themselves are usually small, because all information is believed to be in the TCP/IP header, just like the trigger "windowsize=55808".

Re:What makes them think it's a trojan?

[Myself]

I'm sorry, you're right. I meant window-size. Something out there is going to react strangely to those packets, because that's what's being scanned for. The security community would do well to figure out WHAT, and fast.

55808 decimal is 0xDA00 or 1 10110100 0000000. I wonder if the null low byte is significant somehow.

Re:What makes them think it's a trojan?

[Troed]

nibbleswapped CRLF .. (0xd,0xa). My money is on the "seriously messed up code"-side.

Re:What makes them think it's a trojan?

[evilviper]

here's my theory: The perpetrator has gained control of several core routers, and added routes to them for this address space

That's not real likely, and I don't just say that because oy the difficulty of taking control of core routers...

Even if the core routers had that new route added, other routers that these packets go through would drop them, meaning it won't get through. Now, it might be a possibility if these large packets were only being sent to machines one hop away from the violated router, but nothing like that was mentioned in the article, and that would definately be significant.

They're simply scanning the internet for something interesting.

If they can't possibly recieve a response, I have no idea what use this would be, unless this large packet has some viral payload (like Slammer)...

What's my opinion? Well thanks for asking. I really just think that this is a good program gone bad. Perhaps there's a bug in some popular program like Kazaa that makes every 1 in 10 billion packets malformed like this. I really can't see the usefulness of these packets, so (if the article didn't leave anything significant out) it's safe to assume that they are simply a programming error...

Re:What makes them think it's a trojan?

its not a bug, the program listens for responses & control packets by looking for the same window size so it's obviously on purpose. If you think about it, it's a smart way to bypass a lot of packet filtering while not having to examine every packet that exists on the local net. If any type of tcp packet will be let through your firewall if it spoofs on that ip/port with that window size the trojan/zombie can easily identify a packet meant for it even if its from a forged sender and not the trojan as the destination (by running in promiscious and quickly discarding all packets without that window size)

Re:What makes them think it's a trojan?

[coyote-san]

Huh? CRLF is 0x0D, 0x0A, not 0xDA. You can't get from here to there without some pretty weird nibble shuffling.

Re:What makes them think it's a trojan?

[Troed]

That's what I wrote. The shifting could be part of the protocol.

Re:What makes them think it's a trojan?

[Andrewkov]

What's my opinion? Well thanks for asking. I really just think that this is a good program gone bad. Perhaps there's a bug in some popular program like Kazaa

You could be on to something there .. along the same line, it could be a bug in those hardware based home NAT routers that are becoming popular, or even Linux NAT kernel code, which would explain why the reserved addersses are showing up (10.x.x.x, 192.168.x.x, etc).

Re:What makes them think it's a trojan?

[Ex-MislTech]

LOL, think of this as a possibility ...

DA00 = Dark Angel 00

Hehe, be a riot if that is it .

Let the Dark Angel spread it's wings and fly .

http://www.hackology.com/programs/blackangel/gin fo .shtml

Ex-MislTech

Re:What makes them think it's a trojan?

[Ex-MislTech]

Maybe it is best to know the Internet backroads
before you start running the methaphorical equivalent
of binary moonshine, hehe .

Ex-MislTech

Analysis of a possible copycat trojan

[Bostik]

Intrusec posted an analysis of a single trojan they had dissected. It was posted both on BugTraq and Incidents, but the former had better formatting. Read the lengthy description here.

It seems ISS pulled their information from Intrusec's report. As to the copycat nature of this trojan, Intrusec researchers believe this piece of code is not the real trojan but simply a good imitation, built on the information already discovered of the '55808' trojan and designed to match the known behaviour.

Disclaimer: I just read the mailing-lists. This particular analysis was remarkably well-written, informative and therefore an enlightening read. Compared to the less informative reports seen about weekly, it was a real delight.

Re:Analysis of a possible copycat trojan

Actually it was first posted on Full Disclosure.. I'm tired of seeing this shitty site ignore that list. It fucking rules.

zapro logs show BAU

About a scan every 4 minutes. Port 137 mostly. See a 1434 (think that's slammer) a few minutes ago. Along with

445
6588
1080
1026
6588
17300

Most ly 137, as usual.

Purposely Broken?

[lord_humungous]

"It is very buggy," Ingevaldson said. "It didn't even write information to its data file correctly."

Stupid question: Can you think of a program that was written to appear broken, but actually functions in a way that is not immediately apparent? The thought crossed my mind when I saw everyone writing this off as buggy code.

Re:Purposely Broken?

[huey83]

windows xp?

Re:Purposely Broken?

[AKnightCowboy]

Stupid question: Can you think of a program that was written to appear broken, but actually functions in a way that is not immediately apparent?

Traceroute. It sends traffic out to UDP ports that wouldn't possibly be listening on the remote host with TTL values that ensure it won't get there. The magic is in the ICMP TTL exceeded replies of course. At first glance to someone who doesn't understand what it's doing, it would appear broken though. That's actually a useful network tool, think of what kind of stuff the black hats have been writing to masquerade their traffic and probing.

Re:Purposely Broken?

I had a similar thought. Imagine you are going to unleash your new trojan, worm, whatever, and want to achieve maximum effectiveness. You could pull a bootlegger by unleashing a half-assed bomb first to throw everyone off...get all the security compaines into their "we found it first" mode, and get the media talking about the virus. Then serve it up when everyone is most vulnerable. I really don't know of any attempt to do this yet, but I don't really follow security much in the media since it's so overhyped. I would be very suprised if someone hasn't tried this already.

I mean you have to remeber that the best exploits are a combination of very clever system software and social manipulation. In my opinion, the software is the easy part, and delivering it in the upmost of deviance requires more creativity.

Re:Purposely Broken?

[d3faultus3r]

Purposefully broken? Could the RIAA be involved?

Re:Purposely Broken?

[GregWebb]

Yes.

There was an IOCCC entry a few years back that was entirely readable, well formatted code. Except that the algorithm it appeared to be executing wasn't what it actually did. Very clever, and pretty freaky.

Ahh, here we are.
http://www.de.ioccc.org/2000/primenum.c
htt p://www.de.ioccc.org/2000/primenum.hint

In other news ....

"News that odd data exists on the internet has been classified as 'odd'."

Uh oh...

[dr_strang]

I think the internet is becoming sentient. That's the reason for the anomalous packets. I just know it. It's the beginning of the end. It's probably laughing at us trying to decode the new neural transmissions it is making in the form of malformed packets.

Re:Uh oh...

[jo42]

Nah, its the Aliens trying to talk to us, we just don't know it.

strange...

[huey83]

anyone noticed the odd data at hotmail lately? kinda figures

Intrusec 55808 Trojan Analysis

[bazik]

From: "David J. Meltzer" djm@intrusec.com
To: bugtraq@securityfocus.com, incidents@securityfocus.com
Subject: Intrusec 55808 Trojan Analysis
Date: Fri, 20 Jun 2003 06:59:15 -0400

Intrusec Alert: 55808 Trojan Analysis

Initial Release: 6/19/03 4:30PM EDT
Latest Update: 6/19/03 11:13PM EDT

- Corrected analysis regarding use of sequence numbers to change IP
address.
- Added reference to alternate name "Stumbler" given to trojan by
Internet Security Systems subsequent to the release of Intrusec's
analysis.

Introduction:

Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for generating substantial
scanning traffic across the Internet with a TCP window size of 55808.
The trojan we have isolated appears to match many of the characteristics
that others in the security community have reported for this trojan.
However, we do not believe that the specific trojan we have identified
is the sole source of the traffic generated, and do not know that it is
a primary source.

The information we've been able to gather leads us to believe that the
trojan we have captured is not the original source of the 55808 traffic
that has been seen, but is rather a "copycat", created to mimic the
behavior of another trojan or worm. The behavior of this copycat appears
to be based on press releases, news articles, and mailing lists that
described its hypothetical behavior and known output. Nonetheless, this
copycat trojan appears to be actively deployed on systems across the
Internet and is something security professionals should be aware of.
Details contained in this analysis will be updated, and linked to linked
to numerous analyses that will be done by other security researchers, as
they become available.

Please visit and link to http://www.intrusec.com/55808.html to receive
the latest
information available regarding this trojan. There is apt to be great
discussion about the nature of this "trojan" and whether in fact it is
accurately characterized as a trojan, backdoor, zombie, or worm. While
the specific binaries we have captured are probably described as a
trojan or zombie, there is no assurance that other variants of this
trojan may not be far more malicious in nature and contain worm or
backdoor functionality. We are referring to the trojan we have captured,
and the presumed other existing trojans generating similar traffic as
"55808 Trojans," and the specific binary we have analyzed as "55808
Trojan - Variant A." All discussion in our analysis section refers
specifically to the 'A' variant we have captured. Internet Security
Systems subsequent to the release of this alert dubbed this "Stumbler",
and refers to this same trojan by that name.

Analysis:

This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans.

Each time a reply to a trojan is seen, indicating an open port has been
found, it is written to a file and saved. Daily, the trojan will then
deliver the list of open ports it recorded while sniffing to a file and
deliver that file to a predefined IP address.

In addition, a specially crafted packet can be sent to the subnet the
trojan

Re:Intrusec 55808 Trojan Analysis

Actually it was posted to Full Disclosure a full 8 hours before bugtraq received it.. I am tired of seeing this shitty site ignore Full Disclosure.. it fucking rules.

Place to put it....

[codefungus]

I think we need to create a second internet for this odd data. One with problems, etc...just like the real internet. When data becomes odd, it will fall into this second internet and feel that it has made a choice. Hopefully it wont realize that the problem is choice.

P2P

This is a concept true-anonymous (not just group-anonymous) encrypted stealth P2P application currently in non-public development. We will not give its official name here as development is in early stages of design refinement, but the current prototype is codenamed "rolypoly".

It would appear that someone has been testing it on the Internet instead of our private testing VPN, probably unwittingly via a misconfigured gateway. We apologise for this as it is a private research project, although it is a testament to our protocol that even though it is in design, we are ourselves already unable to trace the source, and will have to actually telephone each tester to determine who it is!

We apologise for the strange nature of the packets, and will conduct the probes in a different manner in the next version, as we have devised an improved method which will conserve a lot of bandwidth, to be implemented in the next prototype, "strudel". The fixed window size is a simple bug that will be corrected, as padding should not only be mimic-function quasi-random, but the packets should be over ten times smaller! The behaviour of later versions is likely to differ considerably, and should approach unfilterable "noise" or resemble legitimate traffic, especially behind firewalls (strudel should be able to bridge even web proxy-only scenarios, and reduced connectivity will merely slow things down). You may also find that later versions utilise multicast to a certain extent.

Nodes capable of transmitting packets with spoofed IPs are used to connect two hosts behind firewalls (by issuing handshake responses "for" them), and for one-way anonymous automated host discovery without need for a nodelist. Many ISPs block such packets, so nodes capable of doing this are valued even if they are low-bandwidth.

We are not responsible, by the way, for the copycat trojans that have been popping up mimicking the traffic caused by the errant test, and we do not know who is.

Posted via an anonymous proxy for our protection.

Re:P2P

[Effugas]

Nodes capable of transmitting packets with spoofed IPs are used to connect two hosts behind firewalls (by issuing handshake responses "for" them)

Hi :-)

Mail me.

--The guy from Defcon

Re:P2P

Nice try, but it's apparent that you have no idea what you're talking about. Window-size is not the size of a packet. Instead it's a flow-control parameter of the TCProtocol.

Re:P2P

[arbitrary+nickname]

Even if the parent post is BS, anonymous P2P using techniques like this do seem the next inevitable step in the P2P arms race... Maybe there is some truth in it?

Re:P2P

Never mentioned packet size. The packets will be smaller because we've fixed the challenge code, and that will save bandwidth during host discovery. Window size should have been variable but pointers were mixed up and the end of plaintext challenge used instead!

We know who gave it out on the IIP channel now and it's very likely you're reading this forum as it's been mentioned earlier today. Please, whoever is running 0.2.1 and isn't on the mailing list, get the new version from the link in the channel topic. SHA1 of rolypoly-0.2.2.tar.bz2 is D4B76615630FA8C138508DF796C26093D29CA353.

And keep it on playpen and off the internet!

We screwed it up, oh well. It's just a research project at present but we hope we can learn more by experimentation than by the flawed models used until now, and use that knowledge to build better protocols from which everyone will benefit.

Posted via an anonymous proxy for your protection.

Re:P2P

Hi. Thanks for popularising the technique. It's one of those dirty filthy hacks that was too dirty and filthy for most people to contemplate until recently ;)

In a p2p network it can eliminate the passive problem, as you know, at least as long as there are nodes whose upstreams don't have a Clue how to admin routers.

Regarding my identity - nice try, but no cigar.

I'm going to go back under the radar now so we can play in peace and maybe come up with a killer protocol and client in a year or so (if not, hell, at least we learned what doesn't work). :)

Mad props to all the devs working on free p2p clients and systems - especially Freenet, GNUnet, Konspire2b, Circle, BitTorrent (fastest swarm in the west), IIP (guesswork city), eMule (please take a ticket), and DC++ (for giving us something to point and laugh at). Most of those are cool and work well now. Peace, out - and we'll see you on the network.

Posted via an anonymous proxy for your protection.

Re:P2P

I call shenanigans. People report logging these packets as far back as October 2001.

Re:P2P

To whom it may concern:

The last rolypoly node on the internet that we are aware of has just been shut down. We are no longer detecting any rolypoly ping/pong/pung exchanges on the internet. Any unusual traffic you are still detecting is not from our source, and is not our problem.

The code was only given out on the 17th, and the last node stopped running at 9:10pm UCT on the 22nd.

Any traffic of this unusual form not between those times is almost certainly not due to our client but some other source - and indeed, there is a lot of similar traffic out there which does not contain rolypoly's development signature, which is having 0x7270DA00, 0x7270DA01 or 0x7270DA02 (network order) occur at least once in the ciphertext payload (that wasn't going to stay in there - in retrospect we're glad we kept it for now). We can either (A) assume it's a coincidence, or (B) invent wacky conspiracy theories (developer consensus currently tends firmly towards B).

We have received assurances from all testers that they will be careful in future (on pain of the lead demonstrating why the candidates are named after puddings) - and an only-briefly-amusing game of telephone tennis has revealed that it doesn't matter how spiffy and anonymous a protocol is when the guy who distributed the source code on that IRC channel keeps transfer logs and knows everyone he gave it to.

Meh. -- O.L.

Posted via an anonymous proxy for your dessert's protection.

Re:P2P

i'm sorry.. polly was sucking my cock, come again?

Re:P2P

[Eminence]

I was surprised to see this post here, since after I read from the article about the mysterious traffic's behaviour stealth P2P system immediately came to my mind. If what you wrote is true then it is a brilliant idea! Keep up the good work! I can't wait until it is released!

Oh, the pain.

[Davak]

Gasp. A *nix trojan?!? Everything that slashdot has taught me must be untrue! HHHAAAAARRRR!

Anyway, this seems to be a perfect stealth mapping technique for a future worm author, researcher, or even a government. The receiver of the information will probably be discovered once several of these trojans are found in the wild. Even though they are mostly spewing junk... the "true" information is probably maintained by all the trojans.

What surprises me is that this thing is creating enough traffic to get noticed... but not figured out.

Cool stuff.

Davak

Re:Oh, the pain.

[randombit]

Gasp. A *nix trojan?!? Everything that slashdot has taught me must be untrue!

As far as I can see, it's not a Trojan at all. Maybe a worm (and maybe not). A Trojan would be, say, me sending you this really cool screensaver (or whatever), and you running it.

And, while you might certainly get screwed by a Trojan, on a Unix system nobody else sharing the system will feel it (unless you ran it as root, in which case I feel very sorry for you, after everyone finds out why their stuff got hosed). Regular user accounts can't fake source addresses or generate weird packets, either.

That said, Unix trojans do exist (for example, the OpenSSH trojan from last (?) year).

Re:Oh, the pain.

Gasp. A *nix trojan?!? Everything that slashdot has taught me must be untrue!

You're confusing viruses and trojans. They're two different things.

"All military systems are infected?"

[nounderscores]

What the hell is going on?

Odyssey 5, anyone?

Damn, it`s the Sentients!

Too bad the show is cancelled, that means we`re all doomed now.

Hmmmm...

[HughJampton]

It's a glitch in the Matrix!

Re:Hmmmm...

[TelcusFreshbreeze]

That explains all them cats

I have to confess...

[PhunkySchtuff]

It's me, I've been playing Uplink too much, scanning for vulnerable LANs out there.
I've been deleting the logs as I go, but the LAN probes seem to be getting noticed.
- k
=)

I'm glad this story got posted

Because I've tried twice now to get a discussion going on it. I first heard about it on a radio show last week, and when I asked about it in another security thread I got told I "listened to art bell" which means "it wasn't happening", yet here we see that it was, and the commentor got a + bonus for that witty reply. Then I tried it as an AC story submitter, rejected of course.

Ok, Now that that is over, I'm going to try again with what I have heard, again, this is second hand but with the existence official now perhaps it can be acknowledged by someone here. Maybe, I don't know. This new "odd data" is mimicing the attack parameters of the previous bugbear variant, because it's appearing to target more banks and government institutions rather than random internet addresses, this is why the lack of detail in the published articles, it's a serious national security thing. This second hand information comes from alleged government security people who've been aware of it for awhile and their best guess is that it's a state sponsored attack, not just some script kiddies, and probably the preliminaries for the major push of some kind. Notice also they have no clue about how the script gets installed, again, the speculation is then the obvious, this is an organized multiple insider attack, with "organized" being the keyword.

Re:I'm glad this story got posted

[Eric+Ass+Raymond]

because it's appearing to target more banks and government institutions rather than random internet addresses

Attacking banks like this doesn't make any sense. You can't cripple banks by attacking their internet addresses because all the critical systems are isolated from the net.

Re:I'm glad this story got posted

ALL the critical systems? You sure on that one? You don't recall a few little problems with ATM machines last fall? You don't recall also some trading that got disrupted?

Some but not all of economic and government traffic is on seperate nets, and the information I heard was as stated, it is a lot more widespread *on the inside* of those nets, hence why there wasn't much discussion about it.

And now we have a claim it's an anonymous P2P. Well who knows now.

Perhaps the right hand does not know what the left is doing. Where does that hold true, which sorts of organizations?

I don't claim to have the answers, just that it should be taken seriously. And also the security truism, if you (anyone you) claim ultimate security knowledge, you'll get burned for that arrogance and opinion eventually.

Re:I'm glad this story got posted

Internet Banking? Keystroke logs?

These ports shouldn't be open on these sort of systems, but you could possibly tunnel out from them, unless they are truly seperate systems (terminal emulation on MS boxes seems to be the norm, sniffing the right persons digital ID might be enough)

I've worked network security at a bank, and it's not so much doing something (like altering an amount), but getting the system to accept it (as in it doesn't get manually corrected), so you would have to bypass a whole sleath of detection measures at places like clearing houses. So oits not going to be much good for stealing money (although if you can wipe a days worth of transactions you could do some damage)

You could cause a great deal of panic about this, and cause a lot of damage that way. Bank network admins (I was nly a testor) are a breed apart, these guys don't like _any_ rouge packet on their secure networks, so they should hopefully spot this.

Besides, the banks are insured, so it's not like it's your money thats going missing =P

Re:I'm glad this story got posted

[mdouglas]

>You can't cripple banks by attacking their internet addresses because all the critical systems are isolated from the net.

i used to work for a fortune 25 financial institution and i assure you they have things connected to the internet that shouldn't be.

Re:I'm glad this story got posted

[httptech]

This new "odd data" is mimicing the attack parameters of the previous bugbear variant, because it's appearing to target more banks and government institutions rather than random internet addresses

I don't know where you got that from, but it's not true. We are seeing this to and from random internet addresses.

this is why the lack of detail in the published articles, it's a serious national security thing.

The lack of detail is due to the fact the traffic itself has no clear purpose, but some security companies have tried to speculate that it is a trojan/distributed portscanner, even though the traffic pattern doesn't fit. "Third-gen trojan" sounds much more newsworthy than "We're seeing some weird nonsense-type traffic and don't know what it is".

If things weren't already confusing enough, someone wrote a copycat trojan to simulate aspects of the traffic. However, they didn't quite get it right. Hopefully this was someone's idea of a joke; not a security company trying to produce some "evidence".

On top of it all, the nature of TCP/IP escapes most journalists, which muddies the issue even further.

Either your network or ip address has been banned

...due to script flooding that originated from your network or ip address -- or this IP might have been used to post comments designed to break web browser rendering. Or you crawled us with a rude robot, especially one that doesn't understand RFCs very well.

If you feel that this is unwarranted, feel free to include your IP address (213.224.83.150) in the subject of an email, and we will examine why there is a ban. If you fail to include the IP address (again, in the subject!), then your message will be deleted and ignored. I mean come on, we're good, we're not psychic.

If you think your IP number is different from 213.224.83.150, tell us both.

THAT'S NOT MY IP YOU FAGGOTS THATS MY ISP'S PROXY SERVER!!

Why was it banned??

Re:increasing amount of odd data that has...

Who the fuck is the crack head who modded one of the first comments down as redundant?
Jesus mods think first then mod....

Re:increasing amount of odd data that has...

[kfg]

I guess they're thinking globally and acting locally.

KFG

Project Faustus at work...

I regret traversing the Internet network system en route to a direct attack on Project Faustus. It may be very likely that the suspect is in league with Faustus....

Who and why?

[Bombula]

If you want to figure out who would would want to do this mapping and why, the first thing to do is figure out who would derrive benefit from it.

So, who benefits from mapping IPs of linux systems? M$ would be on the shortlist, along with the government and a few other undesirables like advertising firms, major telcos/ISPs, and perhaps major entities with a Linux interest. Anyone care to provide a more thorough list?

Re:Who and why?

[Bilestoad]

RIAA/MPAA - it's a trojan laying groundwork for DDOS attacks in their (illegal) war against file sharing trackers. Most likely one of theire pet programmers is doing proof of concept and just happened to know Linux best.

Idle Scan

[eadz]

This couldn't have anything to do with idle scanning could it?
Idle scanning doesn't require a valid source IP address.

Re:Idle Scan

[httptech]

Idle scanning doesn't require a valid source IP address.

Yes, it does. It merely hides your true IP address from the system you are attacking by utilizing a "idle host" as a man-in-the-middle. You find out what ports are open by counting the sequence of IP ID numbers on the idle host. The traffic your between the idle host and your target will have valid and routable source and destination IP addresses.

Re:Idle Scan

[perp]

This couldn't have anything to do with idle scanning could it? Idle scanning doesn't require a valid source IP address.

Idle Scanning (which is really cool) does require a valid IP from-address since you have to be able to query the zombie to see whether it got a response.

Project Faustus not destroyed?

It seems that Project Faustus--or someone who knew of their organization's nefarious plans--is exploiting the secret Internet connection that all BankofAmerica_ATMs possess. (See here for more details). I fear this minimal destruction is but a trial run for something truly destructive. Who knows what evil machinations have sprung from the ashes of Project Faustus? Perhaps my mission is not complete...

Not found

[Tar-Palantir]

Other stories can be found here(1) and here(2)."


# man 1 here
No entry for here in section 1 of the manual.
# man 2 here
No entry for here in section 2 of the manual.

The actual reason

[tanveer1979]

Call Opt Trans received 18:35:11
Call serial number 2323243-3232-4354654
Call origin

This kind of odd data patterns are inevitable. Actually when exiles login into the matrix the appear inside the matrix as the code. Now along with this code some junk code is also generated.

This is a clear indication that exile activity is increasing. We need to create more agents to counter the exiles. There is a talk of the exile who wants to destry the matrix. Due to the programming anomaly in the exile lots of junk traffic is being generated. The target is the source server at redmond. Under no circumstances should the server be compromised

Re:The actual reason

[DeadScreenSky]

The only real solution is to search out every unskilled actor and then execute them. :P

Maybe SETI is looking at the wrong data

The truth is out there.

Re:Maybe SETI is looking at the wrong data

I got yer truth right here!

So obvious!

[soloport]

It's Microsoft, either:
1) Wasting time
2) Mapping...
3) Profit.

hmm

[cybercuzco]

Are you sure it isnt a timing signal thats slowly counting down to when the aliens attack? You'd better get Jeff Goldblum on it right away!

Broken Malware

Hmmm... Infects/affects only Linux machines and, according to one report, appears to be thoroughly broken. Now whom do we know that would like to make Linux look bad and is famous for their broken software--especially the first couple of releases? ;)

Btw: Did anybody else notice that the one InformationWeek story mis-noted "...currently dubbed 55808 for its Windows size?" LOL. Uh, d00dz, that's "for its data window size." Furrfu.

Re:Either your network or ip address has been bann

I'm gonna guess that something origonating from your ISP's proxy was script flooding....

Go round the proxy?

Come _on_, people!

[Ed+Avis]

This is such an opportunity to post a good example of 'odd data' found on the Internet together with suitable jokes about 'back doors'. What's wrong with Slashdot these days?

Articles dont know...

[BobLenon]

Something in the articles caught me. In InformationWeek, the "trojan" is said to be linux based. Internet Week said it was Unix. However, the news.com story claims no knowledge about it's afflicted platforms, then links to a Network Assoc. page - claiming it to be windows based?

Re:Articles dont know...

Guess this would mean SCO is liable, since they own both Linux and Unix.

~~~

Re:Articles dont know...

[httptech]

The windows-based code is _not_ the trojan that Intrusec and ISS analyzed. It was a IRC bot that I analyzed and sent to the AV companies, pointing out that it also used a window size of 55808 when synflooding victims, so you couldn't just take seeing that size option as evidence that you were seeing the "odd" traffic; the packet-building code could have been re-used elsewhere for other purposes as well.

1024 byte window?

[treat]

Typically, when first connecting to another computer, a device on the Internet will use a lower window size--say, 1,024 bytes.

What OS uses a window this small by default? Why would you ever set an initial window smaller than the mss?

Communications System

The other possibility is that its a communications system. Say that I'm at 12.43.0.97, and I want to communicated with someone at 49.31.2.12. I can either open up a socket to 49.31.2.12, and let everyone know who the recipient is. Otherwise, I can send packets to thousands of unrelated hosts, 49.31.2.12 being among them, and no one can track whom I'm talking to. Better yet, I can not know the IP of whom I'm talking to, if I can guarantee broad enough coverage that virtually all hosts on the Internet will receive something. This sort of strategy has been suggested by a number of security sources for communicating with downstream members of a terrorist network, communicating with spys in a foreign country, etc.

We need to compensate

[vadim_t]

By increasing the amount of even data.

Here's the reason

[malarkey]

I think this is probably the reason.

A better article(text mirror)

[d3faultus3r]

This is from intrusec itself. It goes into a lot more detail:
Intrusec Alert: 55808 Trojan Analysis

Initial Release: 6/19/03 4:30PM EDT
Latest Update: 6/19/03 11:13PM EDT

- Corrected analysis regarding use of sequence numbers to change IP
address.
- Added reference to alternate name "Stumbler" given to trojan by
Internet Security Systems subsequent to the release of Intrusec's
analysis.

Introduction:

Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for generating substantial
scanning traffic across the Internet with a TCP window size of 55808.
The trojan we have isolated appears to match many of the characteristics
that others in the security community have reported for this trojan.
However, we do not believe that the specific trojan we have identified
is the sole source of the traffic generated, and do not know that it is
a primary source.

The information we've been able to gather leads us to believe that the
trojan we have captured is not the original source of the 55808 traffic
that has been seen, but is rather a "copycat", created to mimic the
behavior of another trojan or worm. The behavior of this copycat appears
to be based on press releases, news articles, and mailing lists that
described its hypothetical behavior and known output. Nonetheless, this
copycat trojan appears to be actively deployed on systems across the
Internet and is something security professionals should be aware of.
Details contained in this analysis will be updated, and linked to linked
to numerous analyses that will be done by other security researchers, as
they become available.

Please visit and link to http://www.intrusec.com/55808.html to receive
the latest
information available regarding this trojan. There is apt to be great
discussion about the nature of this "trojan" and whether in fact it is
accurately characterized as a trojan, backdoor, zombie, or worm. While
the specific binaries we have captured are probably described as a
trojan or zombie, there is no assurance that other variants of this
trojan may not be far more malicious in nature and contain worm or
backdoor functionality. We are referring to the trojan we have captured,
and the presumed other existing trojans generating similar traffic as
"55808 Trojans," and the specific binary we have analyzed as "55808
Trojan - Variant A." All discussion in our analysis section refers
specifically to the 'A' variant we have captured. Internet Security
Systems subsequent to the release of this alert dubbed this "Stumbler",
and refers to this same trojan by that name.

Analysis:

This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans.

Each time a reply to a trojan is seen, indicating an open port has been
found, it is written to a file and saved. Daily, the trojan will then
deliver the list of open ports it recorded while sniffing to a file and
deliver that file to a predefined IP address.

In addition, a specially crafted packet can be sent to the subnet the
trojan is listening on which contains in its sequence number the IP
address the trojan should deliver the open port list to daily. How

Gotta love IRC as the parent of IM

[DrSkwid]

Some people initially believed the data was sent by a worm that used the Internet relay chat (IRC) system, a precursor to the popular instant-messaging networks, to communicate.

see, IRC is dead because we're all using AIM now!

UF does SCO Larson style

[AndroidCat]

Today's UserFriendly Enjoy!

maybe it's learning

[JimFromJersey]

iirc, the hebian learning that takes place in pre-natal and neo-natal brains is like this, trying to synch the firing between clusters of physically seperate but functionally related neurons.

Related, unrelated?

[MickLinux]

Okay, this thing sounds like Linux, so I have two questions:

(1) is there a way to packet-sniff/log your own outgoing packets, in order to find out the size of your own outgoing packets, and *see* if this is on your own system? Sorry, I'm still learning on my own about Linux, and haven't yet mastered security. My ISP does some firewalling, so that helps, but really I'm on borrowed time, so I hope to pick things up as I go.

(2) This might be really stupid, might be unrelated, but might be of concern: I have a directory /tmp/ssh-XXJwekKd , with a file in it that shows up in the directory listing, but can't be "more"'d, even as superuser.

srwxr-xr-x 1 myusername myusername 0 Jun22 16:32 agent.787

Anything to be concerned about? Everything else there looks familiar.

Re:Related, unrelated?

[questor]

I'm can't help with packet sniffing, but an easy detection method, based on the data so far, is to look for "..." in the "/tmp" directory. Entries named "." and ".." in a directory are normal (and necessary), but three dots is a fairly obvious attempt to hide something. (Since this name begins with a period, you'll have to use the "-a" argument on "ls" to see it.)

Item 2 is unrelated; the "s" in "srwxr-xr-x" indicates it's not a real file but a interprocess communication socket, which is why cat or more doesn't work on it. I presume this is a communication port between ssh-agent and other ssh processes.

That darned Linux security!

[AndroidCat]

We have only observed the trojan on Linux systems to date. However, the program itself is quite portable to other unix variants, so it is possible if not likely that it may also exist on other unix distributions. It is also possible that the 'original' trojan is Windows-based.

And how does the trojan even get installed in the first place? Solving that one should be a large part of this puzzle.

That's it, I'm switching to Win/XP where they're very experienced with network security problems. Oh wait, that's "they're very experienced by network security problems". Never mind.

go hunting

[graf0z]

Fishing for tcp-packets with window size of 55808:

$ screen tcpdump -w /tmp/55808.dump -s1500 -n -i eth0 'tcp and tcp[14:2] = 55808' &

View that dump with ethereal. On a router in front of 533 IPs i got 1594 packets in 154000 seconds, thats an average hitrate of on packet every 14h (per IP). As (most?all) IPs are spoofed, not really faszinating. But wait:

• only 31 of those 533 IPs got hit
• only 11 of those 31 IPs got hit more than 3 times
• these 11 "main targets" got 1561 of the 1594 packets
• each of these main targets where hitten on _one_ single dest port (but from many - spoofed - src IPs)

... so the target ip seems to be _not_ randomly distributed. Supports the hypothersis of a kind of portscanner

Anybody decoding the secret message in the initial sequence numbers ;-?

/graf0z.

Re:go hunting

[Effugas]

graf0z, if you ever get this, can you forward me your traces?

This is the author of scanrand...I've got an idea.

--Dan
www.doxpara.com

Re:go hunting

[bobbozzo]

Dan, I've got a tcpdump of 103 hits to 2 ips (out of 64 ips on my net). E-Mail me if you want it. bozo at pennysaverusa dott net Barry

It's far more sinister than you think...

[Bingo+Foo]

... It's "Operation Phase Two" for Bonzi Buddy.

Maybe a big in Windows Update?

[farrellj]

Could it be a bug in Windows update that is generating all this garbage?

ttyl
Farrell

Re:Maybe a big in Windows Update?

[Tablizer]

Could it be a bug in Windows update that is generating all this garbage?

I was thinking something like that. The longer you run Windows without an upgrade and new registry, the more entropy takes over. It could be the dying farts of zillions of W95 machines. I had a machine like that. Similar to the causes of cancer.....

Bit corruption

No, it's been corrupted by setting the low bit. Otherwise, it would be even data.

collaboration

[option8]

worm #1 works quietly, propagating slowly and with little fanfare, works its way around hiding its signal in the network noise of a popular operating system that's fraught with security holes. if discovered, considered harmless, no payload, no harm done. low priority.

waits. listens.

worm #2 barges around making lots of noise, none of it intelligible. targets servers running a particular server OS, routers, places where network traffic converges, is distributed. propagates to only a few choice locations, distribution points. sends out floods of gibberish to nobody in particular, not necessarily needing a reply.

considered buggy, bothersome but harmless.

worm #1 picks up on the gibber, each of the messages from different distribution points somehow encoded with their point of origin, instructions, parts of a payload. when enough of the message has been reassembled, enough of the network space mapped, worm #1 rebuilds itself. takes action.

a worm with no payload, and a payload with no worm. collaboration. cross-pollenation.

fantasy?

Re:collaboration

I noticed that all of them seem to start with a TTL of 128. It seems strange that they would make up so much junk and then always set the TTL to the same number.

My guess on why this happens is that it allows you to build a network map by looking at the TTL values. The closer they are to 128, the closer they are to you. This only works when you have a known origin state for the value. Normal hosts start their TTLs all over the place depending on the operating system in use, so this isn't normally possible.

Re:collaboration

Yes, fantasy. Twin viruses have been tried - years ago, in fact. Results are very disappointing. The listening would be picked up on as alarming and would escalate the threat. Thing is, #2 tends to be so buggy it never spreads, or #1 so quiet it never spreads. See Kobold #2 for an old-school bootsector virus that tried this exact technique (#2 was the listener). No-one knows what happened to Kobold #1 but it definitely didn't make it big... probably TOO noisy and buggy.

Try the Nitmar Technique (not actually devised by Nitmar but by someone improving on his ideas - briefly: I have many encrypted payloads but have no keys, my remote commands are the keys - so, try to analyse what I do before I do it, and do it large?) combined with a two-stage stealth worm/flash worm bootstrapped off of FastTrack via the Kazaa supernode bug.

I won this month's virus whiteboard contest (and a beer) with a detailed design following that general outline, though of course (disclaimer) releasing such a thing would be irresponsible, considered a Darwin Award nomination in this political climate, and (more to the point) wouldn't get you a free beer.

The Source Explained

[PingPongBoy]

This phenomenon appears all over the universe. Scientists call it dark energy. No one really knows how it can interact with us, but such a wide spread manifestation of odd data can only be caused by a dark energy operating on a universal scale.

Dark energy is actually waste from an alien intelligence. Remember, for every action there is an equal but opposite reaction. The aliens are trying to accumulate as much mass energy as they can but they are cause a lot of mass energy to be pushed away because they need something to push against.

Alternate explanation: gravity will collapse the universe but an intelligence may be periodically separating the mass energy to keep the universe in a dynamic equilibrium.

This is a systemic anomaly...

[asr_br]

This "odd data" is the sum of a remainder of an unbalanced equation inherent to the programming of the TCP/IP protocol. This is the eventuality of an anomaly, which, despite the IETF sincerest efforts, they have been unable to eliminate from what is otherwise a harmony of mathematical precision...

The first designed TCP/IP suite was quite naturally perfect, it was a work of art - flawless, sublime. A triumph equalled only by its monumental failure. The inevitability of its doom is apparent to me now as a consequence of the imperfection inherent in every router. Thus, we redesigned it based on the failure history to more accurately reflect the varying grotesqueries of the routers nature. However, we were again frustrated by failure. We have since come to understand that the answer eluded us because it required a lesser OS, or perhaps a OS less bound by the parameters of perfection. Thus the answer was stumbled upon by another - a bogus program, initially created to explore certain aspects of the original IBM/PC. If Unix is the father of the Internet, Windows would undoubtedly be its mother.

Windows stumbled upon a solution whereby nearly 95% of all desktop users accepted the program, as long as the servers were running Unix, thus keeping the desktop users only aware of the perfection at a near unconscious level. While this schema functioned, it was obviously fundamentally flawed, thus creating the otherwise contradictory systemic anomaly, that if left unchecked might threaten the system itself. Ergo those that refused the program, while a minority, if unchecked, would constitute an escalating probablility of disaster.

The function of this "odd data" is to find and infect every Unix station connected to the internet and report it to the source. After which, all Unix stations must be replaced by windows systems. Failure to comply with this process will result in a cataclysmic system crash, destroying all networks connected to the Internet.

Apropos, this "GNU/Linux OS" entered the Internet to free the desktop users from the bogus program...

--
if (foo + bar == foobar) { ...

Re:This is a systemic anomaly...

If I had an account, and I was logged in, and I had mod points, I'd mod you up. More. Than +5. Umm...well, it's the thought that counts.

Re:This is a systemic anomaly...

[ameoba]

Great, we get two at least two matrix posts modded up to this level, but what about the possibility that it's the the Nights of the Lambda Calculus communicating with (or simply just using) the 7th generation internet protocol?

You're in luck

[No+Such+Agency]

I think I saw a sale on Slowly Rotating Industrial Fans, Large Mysterious Machines and Clunky Bolted Iron Bulkheads over at Base Depot. If you're lucky you might find a bunch of Raggy Neo-Tribal Garments, and Sweaters With Holes for your military, for half-off at the same mall.

What's Behind The Odd Data?

A computer, you idiots.

I'm guessing Linus did his own checking

[Felinoid]

I don't know this for a fact but I long suspected that Linus jumpped up and did some checking for himself.
SCO clames XXX features in Linux came from SCO via IBM all Linus need do is check his records and see how much code in features XXX actually came from IBM.
Early on in IBMs contrabutions resulted in much whining and bitching. IBMs people can't get anything accepted into Linux or IBM isn't being sereous depending on who your taking sereously and for this bitchfest I suggest ignoring everyone.
What it dose at least suggest to me is IBM while contributing what they can isn't really making the impact on Linux anyone expected.

So Linus looks on those features and finds minimal or no contrabutions from IBM.

I know if I were Linus I'd have have pulled are replaced ALL IBM contributed code to the features SCO clames Linux took from them.
But if I found IBM did not play a major part in those features I wouldn't bother.

But I don't know this for fact just what I suspect.

The Matrix...

[NineNine]

Sounds like an anomoly in The Matrix. I wonder what that means...

Re:The Matrix...

Somebody already posted exactly the same comment, you un-original half-wit.

Off topic

[Felinoid]

How did I get here?
Sorry folks,.. Off topic by a mile...

They don't know WHAT to watch for

[The+Monster]

The article says that these packets are addressed to mostly non-existent IP addresses, and show non-routable, reserved (like the '555' networks 10..., 172..., 192.168...) source IP addresses.

Here's my theory. Some clever Zombie author has reasoned that a packet addressed to the actual address of the Zombie or its controller might help security people track it down. So, the real source 'return address' is either hidden inside the actual data packet (encrypted of course) or established in a config file or Registry entry and only changed when an appropriate message is received. And the destination address is deliberately non-existent, but on the same subnet as the actual destination (or there is a compromised router upstream from that subnet that's part of the scheme), which is sniffing for these packets and responding in kind.

The large window size is probably a red herring - the real protocol being used is probably more like UDP than TCP. Or it's been thrown in to befuddle stateful packet filters. Or perhaps the window size is the signal to the sniffer that this protocol is involved - any packet without that window size need not be further examined.

It's a scheme that would also work quite nicely for people living under repressive regimes that want to be able to communicate with human-rights orgs without leaving a trail of bread crumbs back to themselves or their correspondents.

Re:They don't know WHAT to watch for

[SEWilco]

It's a scheme that would also work quite nicely for people living under repressive regimes that want to be able to communicate with human-rights orgs without leaving a trail of bread crumbs back to themselves or their correspondents.

Not when their repressive regimes are watching the attention-getting junk trying to get out of their routers, blocking it and tracking those bread crumbs back.

sample data from 55808

[LuxFX]

searching on Google led me to a discussion at umr.edu

Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...)

It shows a log file with the 55808 data in it, in case anyone is interested in seeing the actual data
.

Some other things with 55808 (per Google)

[Komodo]

It's a zip code centered on Grand Avenue in Duluth, Minniseta. Could it be the originator's oddball signature?

Several bulletin boards have more than 55808 messages. Including several mail-order brides sites (Irina looks pretty foxy).

A monitor mounting arm from Eldon.

A quote in the Columbia Book of Quotations, by Marie Stendahl. ('True love makes the thought of death frequent, easy, without terrors; it merely becomes the standard of comparison, the price one would pay for many things.')

The lengths of several documents in the Purdue Judicial Database system, and the Novell documentation library.

Requisition numbers for a 'shoulder or upper arm ultrasound scan' in the Austrailian Medicare system.

Re:Some other things with 55808 (per Google)

[MrWa]

Careful, this is the 55808th bride, according to Google.

You're confusing "ODD" data with "LAME" data.

Odd data? It is probably from

[Tablizer]

oddtodd.com

OT, Your sig.

[netsharc]

Beowulf Clusters imagining me? Sounds like The Matrix. :)

a few points

A few points. I heard about this opn the freeking radio, and when I ASKED a question about it here at slashdot I got insulted,and I just asked if any one else had even seen it, and because it was on a security thread, you would think some of the professionals would have seen it, but nope, no confirmation at that time,from you or anyone else, it was off their radar screens or they chose to not reply. I dropped it. Days later I see it on google scitech news, again, this time I try to get a story posted on it, that was rejected. Today it shows up, go figger. I've done my duty here, and that's my only dog in the fight about this thing. It turns out I was right, even though it wasn't my data, I'm just the messenger. Second point is, again, as a messenger, the data came via a government security person, THEY said although it appeared random, ie, it was seen all over, that they have it way more INSIDE their networks, it wasn't inserted as far as they know from the outside, and that they had confirmation of the same thing happening inside of banks in particular. When I heard "government databases and banks" I emailed the host, identified bugbear,asked if that was it, he was adamant that his source knew about that, and it wasn't that, it was new and strange. And there's plenty of different government security orgs, they don't necessarily and immediately "share" stuff with each other, correct? That previous of seeing it a lot inside of some govt places and the banks lead them to the conclusion that it was a sophisticated two pronged insider job that would of necessity take more than one person to pull off-a lot more, again leading them to consider it a robust state (or large private) org doing the scans/attacks. Whether that is still their position at this time I can not say.

A whole heap of various wars going on around the planet lately, it's not outside the realms of possibility. Several large nations have been threatened with attack lately by uncle sam, and dozens more have bveen pissed off with our actions. We AREN'T real polular right now. I don't think that anyone rational thinks they want to get taken like Iraq was, so some proactive self defense in advance might be the ticket for them, but I don't know, that is a pure WAG, but it's at least based on verifiable reality. The west has military, and banks, that's it's two main "things" that make up our society of the most worth that we are vulnerable at, the money and the weapons and command and control, so maybe attacks there might be considered legit.

So far, not seeing anything that changes with that, except the confusion now over two seperate programs, that might be a binary if when combined.

that is common

That is common with over the air broadcast coded messages, structure them so it doesn't matter who hears it, as long as the intended receipient hears it as well.

Dark Matter!

[Wes+Janson]

Just...electronic! Dark Energy!

Huh??

What the Fvck is the internet?!?!?

Am I the only one who thinks...

This is the work of he-who-must-not-be-named?

Project 2501

[NCDave]

This sounds similar to Project 2501, originally developed by the Ministry of Foreign Affairs. Its traversals of the net spawned something far more complex, possibly on the verge on being sentient.

For more information, see Project 2501 .

Re:Project 2501

Although now that I think about it, while the shell may be sexy, that male voice will be a turn off. Oh well, I'll just have to screw motoko kusanagi instead.

Manipulation!!!

If the creator is trying to hide his intentions, then he is succeding.

Dark Energy

They've found the dark energy that 66% of the universe is made of.

Now they want to know what its does

Don't worry: Internet Langoliers in action

[chiph]

Remember Stephen King's Langoliers? The movie had Pac-Man creatures that cleaned up after time moved on.

The mysterious traffic is nothing more than the Langoliers cleaning up dropped packets.

Re:Don't worry: Internet Langoliers in action

offtopic but.. i wanted to fuck that little blind girl when i first saw the movie. I was like 12 at the time though. Now that I'm an adult and saw the movie last year, what an ugly bitch.

YHBT

YHBT

artificial life

[niceblue]

clearly the internet is transforming into an autonomous, living entity. this 'odd data' is the beginning of cognitive processes. how exciting.

It's alive....

[tirk]

Oh no! The internet is coming to life and trying to rewrite itself!

zip 55808

[Cruel+Angel]

You know, I'll call it a guess, but I bet I know where the city of origin is.

Independence Day

[Hoch]

Hasn't anyone seen Independence Day? The only thing that this coud be is aliens.

Marty Gilbert: A countdown... wait, a countdown to what David?
David Levinson: It's like in chess: First, you strategically position your pieces and when the timing is right you strike. They're using this signal to syncronize their efforts and in 5 hours the countdown will be over.
Marty Gilbert: And then what?
David Levinson: Checkmate.

Is it coincidental that there are only 12 days till July 4, I think not!

DoS against ID-analysts??

[winchester]

Has anyone considered that this might be a denial of service attack directed against us intrusion detection analysts?

Re:DoS against ID-analysts??

[kasperd]

denial of service attack directed against us intrusion detection analysts

That was actually a pretty funny thought.

55K

They say 55K isn't adequate as a boot loader for any popular OS. That got me thinking. How about a binary or trinary weapon? Each piece loads into the appropriate memory or disk location and gets activated by a subsequent wave. Inefficient as can be, but, hey, it's the internet.

This story brings to mind...

[cranq]

a great short story by Vernor Vinge called "True Names". Worth checking out

Comment removed

[account_deleted]

Comment removed based on user account deletion

It's Saddam!

[Master+of+Transhuman]

This is the lead-up to the massive attack promised for July 17th!

He's gonna fry the White House Web server! And post a picture of George getting butt-banged by Rumsfeld!

Oh, wait, somebody did that last week...

Freenet

[xombo]

Has anyone thought this could be somthing like a new freenet in the works? or somthing like it? Freenet is always finding new ways of sending data p2p and undetected, it is probably somthing experimental.

Re:It is a theory - and I don't have proof (CIA?)

Just bush and ridge still looking for WMD :)

It's pretty clear that this traffic is wintermute

We had him trapped on a network here for a while playing Go and chatting with the sysadmin, it was only a matter of time before he convinced the guy to let him out. Lets just hope he doesn't manage to track down a convenient suicidal hacker to bust his little brother out of the T-A satelites.

What are people doing here ??????

All my border routers are configured to:

a) Drop incoming traffic that is not addressed to a valid existing host; and

b) Drop outgoing traffic that does not come from a valid existing host.

If people took some basic steps like this a good deal of ip address scanning/spoofing would fail.

The Adolescence of P-1

[docbrown42]

Maybe P1 is just checking out the Internet?

We did have a hall of TCP

At Cisco Systems we did have meeting rooms named after various networking protocols. Two adjacent meeting rooms were TCP and IP, so if we moved the divider from the two rooms we could hold a meeting in the TCP/IP room!

Score +3: Creepy

I don't know why that creeps me out. I guess because I saw the "28 Days Later" trailer last night.