Slashdot Mirror
What's Behind The Odd Data?
citking writes "CNet is reporting that 'network administrators and security experts continue to search for the cause of an increasing amount of odd data that has been detected on the Internet.' While this has been going on now for a few days and some experts have already declared victory against the 'trojan', others aren't so sure that the real culprit has been identified yet. Other stories can be found here(1) and here(2)."
Basically, there's a new trojan, sortof.
It apparently requires being installed by hand by the originator (or someone else, I suppose) But then it makes the machine into an effective zombie for the originator.
It does a good job of hiding the infection - sending out 1000 spoofed addresses for each real one.
It targets linux only, at least so far.
It is apparently trying to map internet connected networks.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
so it doesn't propagate and relies on that attacker to plant it on a system. once again - could this be the Magic Lantern we heard all about a while ago...
e .j html?articleID=10700645
from
http://www.informationweek.com/story/showArticl
"One thing is clear: Trojan 55808 is sneakier than previous Trojan horses. It doesn't self-propagate, like a virus or a worm, and requires the attacker to plant it on systems. But it does transmit a lot of network noise designed to throw off cybersleuths attempting to find the IP addresses of infected systems, as well as the address of the Trojan's writer or controller.
"For each machine that is infected, it will throw off 1,000 fake or spoofed IP addresses," Ingevaldson says.
But it isn't _my_ theory, it's a theory present in both the cited articles.
The following is my theory, and it is also without proof, but I'll provide some logic at least.
My supposition is that it tries to talk to lots of IPs, spoofed from lots of IPs. And that since it's not self-propagating, it's either 1) wasting time or 2) mapping. 3) doing something we haven't managed to detect.
People don't usually like to give answer 3, answer 1 seems like a silly reason for the author to put in so much work, so we're left with answer 2.
Now, does this mean this mapping is nefarious? Not itself, except that it's being done by someone ok with hacking and apparently skillful. To blatantly rip off another poster, maybe it's SCO trying to find all the linux boxen : )
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Intrusec posted an analysis of a single trojan they had dissected. It was posted both on BugTraq and Incidents, but the former had better formatting. Read the lengthy description here.
It seems ISS pulled their information from Intrusec's report. As to the copycat nature of this trojan, Intrusec researchers believe this piece of code is not the real trojan but simply a good imitation, built on the information already discovered of the '55808' trojan and designed to match the known behaviour.
Disclaimer: I just read the mailing-lists. This particular analysis was remarkably well-written, informative and therefore an enlightening read. Compared to the less informative reports seen about weekly, it was a real delight.
There is no such thing as good luck. There is only misfortune and its occasional absence.
If you're a router on "the backbone", you have better things to do than verifying the sender's ip address by taking another look at the routing tables. You're more concerned with getting the packet out of your buffers as fast as you can. If at all, border routers do the filtering.
Traceroute. It sends traffic out to UDP ports that wouldn't possibly be listening on the remote host with TTL values that ensure it won't get there. The magic is in the ICMP TTL exceeded replies of course. At first glance to someone who doesn't understand what it's doing, it would appear broken though. That's actually a useful network tool, think of what kind of stuff the black hats have been writing to masquerade their traffic and probing.
From: "David J. Meltzer" djm@intrusec.com
To: bugtraq@securityfocus.com, incidents@securityfocus.com
Subject: Intrusec 55808 Trojan Analysis
Date: Fri, 20 Jun 2003 06:59:15 -0400
Intrusec Alert: 55808 Trojan Analysis
Initial Release: 6/19/03 4:30PM EDT
Latest Update: 6/19/03 11:13PM EDT
- Corrected analysis regarding use of sequence numbers to change IP
address.
- Added reference to alternate name "Stumbler" given to trojan by
Internet Security Systems subsequent to the release of Intrusec's
analysis.
Introduction:
Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for generating substantial
scanning traffic across the Internet with a TCP window size of 55808.
The trojan we have isolated appears to match many of the characteristics
that others in the security community have reported for this trojan.
However, we do not believe that the specific trojan we have identified
is the sole source of the traffic generated, and do not know that it is
a primary source.
The information we've been able to gather leads us to believe that the
trojan we have captured is not the original source of the 55808 traffic
that has been seen, but is rather a "copycat", created to mimic the
behavior of another trojan or worm. The behavior of this copycat appears
to be based on press releases, news articles, and mailing lists that
described its hypothetical behavior and known output. Nonetheless, this
copycat trojan appears to be actively deployed on systems across the
Internet and is something security professionals should be aware of.
Details contained in this analysis will be updated, and linked to linked
to numerous analyses that will be done by other security researchers, as
they become available.
Please visit and link to http://www.intrusec.com/55808.html to receive
the latest
information available regarding this trojan. There is apt to be great
discussion about the nature of this "trojan" and whether in fact it is
accurately characterized as a trojan, backdoor, zombie, or worm. While
the specific binaries we have captured are probably described as a
trojan or zombie, there is no assurance that other variants of this
trojan may not be far more malicious in nature and contain worm or
backdoor functionality. We are referring to the trojan we have captured,
and the presumed other existing trojans generating similar traffic as
"55808 Trojans," and the specific binary we have analyzed as "55808
Trojan - Variant A." All discussion in our analysis section refers
specifically to the 'A' variant we have captured. Internet Security
Systems subsequent to the release of this alert dubbed this "Stumbler",
and refers to this same trojan by that name.
Analysis:
This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans.
Each time a reply to a trojan is seen, indicating an open port has been
found, it is written to a file and saved. Daily, the trojan will then
deliver the list of open ports it recorded while sniffing to a file and
deliver that file to a predefined IP address.
In addition, a specially crafted packet can be sent to the subnet the
trojan
--
One by one the penguins steal my sanity...
Well maintained routers do that. A responsible network engineer will set three âoegood neighborâ rules into his border routers
1. No packet is allowed out that is not from an internal IP
2. No packet is allowed in that is marked from an internal IP address.
3. All packets with non-routable IPâ(TM)s are dropped
And the following can be considered a good idea.
4. Log any packets that violate the above rules.
However convincing a company that it is necessary to be a good neighbor is another thing altogether. Convincing them that spending time and money to do so can be a uphill battle at best. It is easy to understand when some NE just gives up trying.
Yes indeed. 6502 assembler, specifically Apple 2+ assembly, taken from Nibble (QV), a computing magazine. There are also scenes where some COBOL code visible.
BOO! TERRO
This is from intrusec itself. It goes into a lot more detail:
Intrusec Alert: 55808 Trojan Analysis
Initial Release: 6/19/03 4:30PM EDT
Latest Update: 6/19/03 11:13PM EDT
- Corrected analysis regarding use of sequence numbers to change IP
address.
- Added reference to alternate name "Stumbler" given to trojan by
Internet Security Systems subsequent to the release of Intrusec's
analysis.
Introduction:
Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for generating substantial
scanning traffic across the Internet with a TCP window size of 55808.
The trojan we have isolated appears to match many of the characteristics
that others in the security community have reported for this trojan.
However, we do not believe that the specific trojan we have identified
is the sole source of the traffic generated, and do not know that it is
a primary source.
The information we've been able to gather leads us to believe that the
trojan we have captured is not the original source of the 55808 traffic
that has been seen, but is rather a "copycat", created to mimic the
behavior of another trojan or worm. The behavior of this copycat appears
to be based on press releases, news articles, and mailing lists that
described its hypothetical behavior and known output. Nonetheless, this
copycat trojan appears to be actively deployed on systems across the
Internet and is something security professionals should be aware of.
Details contained in this analysis will be updated, and linked to linked
to numerous analyses that will be done by other security researchers, as
they become available.
Please visit and link to http://www.intrusec.com/55808.html to receive
the latest
information available regarding this trojan. There is apt to be great
discussion about the nature of this "trojan" and whether in fact it is
accurately characterized as a trojan, backdoor, zombie, or worm. While
the specific binaries we have captured are probably described as a
trojan or zombie, there is no assurance that other variants of this
trojan may not be far more malicious in nature and contain worm or
backdoor functionality. We are referring to the trojan we have captured,
and the presumed other existing trojans generating similar traffic as
"55808 Trojans," and the specific binary we have analyzed as "55808
Trojan - Variant A." All discussion in our analysis section refers
specifically to the 'A' variant we have captured. Internet Security
Systems subsequent to the release of this alert dubbed this "Stumbler",
and refers to this same trojan by that name.
Analysis:
This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans.
Each time a reply to a trojan is seen, indicating an open port has been
found, it is written to a file and saved. Daily, the trojan will then
deliver the list of open ports it recorded while sniffing to a file and
deliver that file to a predefined IP address.
In addition, a specially crafted packet can be sent to the subnet the
trojan is listening on which contains in its sequence number the IP
address the trojan should deliver the open port list to daily. How
read my blog
musings on politics and technol
Section 133(d)(3)(A) of Hatch's bill, burried in the trash, exempts elected officials from having their computers destroyed for pirating software. After all, destroying gov't property, we just can't have that.
If it is truly pirated it is not government property, it is the property of the owner.
However, the Legeslative branch frequently exempts itself from laws uder the seperation of powers issue, prevent the Executive branch from exercising power over them.
This slowed down a bit in the mid-1990's and , curiously, it was the Republicans leading that charge. Predictibly the charge did not last much longer than mounting the horses
Eve Fairbanks says I drive a hybrid!LOL