What's Behind The Odd Data?

citking writes "CNet is reporting that 'network administrators and security experts continue to search for the cause of an increasing amount of odd data that has been detected on the Internet.' While this has been going on now for a few days and some experts have already declared victory against the 'trojan', others aren't so sure that the real culprit has been identified yet. Other stories can be found here(1) and here(2)."

Maybe we are searching into the wrong thing...

[selfsealingstembolt]

Maybe that are residues of testing? Some people writing networking-software maybe just made some debugging runs using data sent over the net and sent out erroneous packets.

Maybe it is some rare case with a seldom occuring situation where the TCP/IP protocol runs mad? I mean, when designing such flexible and autonomous systems sometimes there are things you can't foresee. After decades of online time and rewrites of TCP/IP core parts in combination with the unpredictability of such huge systems it would not surprise me, if that are just packets which emerge every now and then.

Another explanation: the net has gotten critical mass and is becoming conscious....

Just my two cents.....

Interesting

[chendo]

This indirect approach to communicate is very interesting, as it's indirect.

The trojan could broadcast the 'odd data', containing information, and such, while another trojan can listen for weird packets like those, and grab info from them.

As the source cannot be identified easily, it would be very hard to discover the infected computer, and the destination doesn't exist, it's a weird way to communicate.

My two cents.

Re:For those too lazy to read the article : )

Something's wrong with this theory. I have several thousands of these packets in my logs, but they started to appear back in october. They are directed at many ports (which are closed on my system), but each originator tries several times. Many attempts look like an Edonkey client trying to deliver a message, which is not unusual on a dynamic IP connection where the previous user of an IP apparently used filesharing programs. Either the window-size 55808 isn't that unusual or the "infection" has been around much longer. Another system on a static IP has yet to see even one packet with that window-size. If it's a mapping system, it certainly isn't random. It could be that ??AA-serving companies are looking for "tainted" filesharing clients which they could then ask to reveal more information about the system and their owners by using strange packets for hidden communication with the client. If this is true, the trojan which randomly sends out strange packets is merely a decoy.

Purposely Broken?

[lord_humungous]

"It is very buggy," Ingevaldson said. "It didn't even write information to its data file correctly."

Stupid question: Can you think of a program that was written to appear broken, but actually functions in a way that is not immediately apparent? The thought crossed my mind when I saw everyone writing this off as buggy code.

P2P

This is a concept true-anonymous (not just group-anonymous) encrypted stealth P2P application currently in non-public development. We will not give its official name here as development is in early stages of design refinement, but the current prototype is codenamed "rolypoly".

It would appear that someone has been testing it on the Internet instead of our private testing VPN, probably unwittingly via a misconfigured gateway. We apologise for this as it is a private research project, although it is a testament to our protocol that even though it is in design, we are ourselves already unable to trace the source, and will have to actually telephone each tester to determine who it is!

We apologise for the strange nature of the packets, and will conduct the probes in a different manner in the next version, as we have devised an improved method which will conserve a lot of bandwidth, to be implemented in the next prototype, "strudel". The fixed window size is a simple bug that will be corrected, as padding should not only be mimic-function quasi-random, but the packets should be over ten times smaller! The behaviour of later versions is likely to differ considerably, and should approach unfilterable "noise" or resemble legitimate traffic, especially behind firewalls (strudel should be able to bridge even web proxy-only scenarios, and reduced connectivity will merely slow things down). You may also find that later versions utilise multicast to a certain extent.

Nodes capable of transmitting packets with spoofed IPs are used to connect two hosts behind firewalls (by issuing handshake responses "for" them), and for one-way anonymous automated host discovery without need for a nodelist. Many ISPs block such packets, so nodes capable of doing this are valued even if they are low-bandwidth.

We are not responsible, by the way, for the copycat trojans that have been popping up mimicking the traffic caused by the errant test, and we do not know who is.

Posted via an anonymous proxy for our protection.

go hunting

[graf0z]

Fishing for tcp-packets with window size of 55808:

$ screen tcpdump -w /tmp/55808.dump -s1500 -n -i eth0 'tcp and tcp[14:2] = 55808' &

View that dump with ethereal. On a router in front of 533 IPs i got 1594 packets in 154000 seconds, thats an average hitrate of on packet every 14h (per IP). As (most?all) IPs are spoofed, not really faszinating. But wait:

• only 31 of those 533 IPs got hit
• only 11 of those 31 IPs got hit more than 3 times
• these 11 "main targets" got 1561 of the 1594 packets
• each of these main targets where hitten on _one_ single dest port (but from many - spoofed - src IPs)

... so the target ip seems to be _not_ randomly distributed. Supports the hypothersis of a kind of portscanner

Anybody decoding the secret message in the initial sequence numbers ;-?

/graf0z.