55808 Trojan Analysis

espo812 writes "This analysis of the 55808 trojan that has been circling the internet was just posted on Bugtraq . The good news (i guess?) is that apparentally it is just a proof of concept distributed scanner. The bad news is they think they just caught a copycat version of the origional trojan. ISS also has an analysis."

Related Information

[Scoria]

Timothy published related information this morning. Perhaps "55808" is attempting to locate Slashdot duplicates. ;-)

Let us sysadmins "route" out terrorism

Stop forwarding packets!
Shut down the net baby!

dupe

[Elequin]

So, how'd a duplicate make it past the subscriber preview feature?

Re:dupe

[Rick+the+Red]

Perhaps people aren't willing to pay to do proofreading.

Perhaps the "editors" who are aren't reading the front page before posting a story also aren't reading their email from subscribers.

This is quite a clever trojan

[rf0]

In that as a port scanner normally has to set the desitantion address on the packets to itself to get the results. Along with this packet it also might send out 100's of spoofs. This one on the other hand send out nothing but forged packets

However as its listening in promiscous mode it detects other packets from other trojans that have the network its on as the spoof address and the collects those results.

This is what makes its so hard to find,for one reaons

Rus

Re:This is quite a clever trojan

wow!
1.) quote article
2.) karma

now if we could remove the first step and make it

1.) karma

then we could add

2.) profit!

Re:This is quite a clever trojan

[fireman+sam]

Oh but you have. Lets break your one step down a bit:

1) Make funny reply about a comment that quotes from the article
2) karma

We can then take it further:

1) Make a (funny?) reply about a reply about a comment that quotes from the article
2) karma *

* or in my case -karma

Re:This is quite a clever trojan

[sbszine]

Ah, but you forget that being modded funny does not improve your karma.

Re:This is quite a clever trojan

[evilviper]

This one on the other hand send out nothing but forged packets

Indeed, but it seems to be sending them almost randomly across the internet...

as its listening in promiscous mode it detects other packets from other trojans that have the network its on as the spoof address and the collects those results.

Why does it need another trojan to do the job? If it's listening in on the network, why not just send a packet to the host it wants to find information about? Sure, it can still forge the source IP address (hence stay just as anonymous), but that would be a much more effecient method of scanning hosts, rather than sitting around and waiting until some other trojan elsewhere just happens to luck out and hit a machine on a network with another trojan. Of course, I'm assuming there is no central coordination between them... If there is, that would be a very good system (but then they could be traced to a single point).

This is what makes its so hard to find,for one reaons

I really don't see why... Send a message to the largest ISPs, and tell them to be listening for all packets that match the description that are _outbound_. Once they've found one, the ISP can obviously determine where it really came from, and get a copy of everything on the source computer. Seems like that would be easy enough to track down. I'll be logging all packets that fit the bill myself, but with most of my systems on private IPs, I don't suspect I'll have very much luck.

Re:This is quite a clever trojan

just wondering...could it be trying to communicate by port knocking?...is this some kind of 'morse code'?

Re:This is quite a clever trojan

I really don't see why...

Yes, these are easy to catch where the cross boundries. They also have fake source address which any decent admin should have blocked at the firewall. Once you know you have one running on your network, finding the machine resposible could be hard. Not for us, we keep a table of MAC address, but many don't.

Re:This is quite a clever trojan

[evilviper]

finding the machine resposible could be hard. Not for us, we keep a table of MAC address, but many don't.

Once you know the MAC, you could simply use rarp or mac-ping to find out the IP address of the system, what router it is closet too, etc.

So I still think it would be quite easy to find if admins were watching for it on their internal networks (rather than just noticing it at the destination).

DoItYourself

[graf0z]

Analyse (like here ) the target IPs & ports for Yourself:

$ screen tcpdump -w /tmp/55808.dump -s1500 -n -i eth0 'tcp and tcp[14:2] = 55808' &

If You have enough IPs, You'll see the gimmick ...

/graf0z.

Re:DoItYourself

[graf0z]

Just in case you are serious: You need tcpdump (and screen) to be installed for that command line to work. Instead, install a packetsniffer of Your choice (like windump) and tell it to grab tcp-packets with tcp-header "window size" set to 55808.

You could avoid a lot of trouble, if You installed a more usable operating system before. I expect a networking OS distribution to ship with a packetsniffer.

/graf0z.

Re:DoItYourself

If You have enough IPs, You'll see the gimmick ...

I do not have enough IPs, I do not see the gimmick. Please tell.

Re:DoItYourself

I used: 'tcp[13]=0x02' and 'tcp[14:2]=55808' as they are all syn packets.

Re:DoItYourself

do you not have to open the port up with netcat or similar to catch a log? or are you just talking about recording the inital packet sent by the 55808 wormie? that means i will not get any juicy information in that first packet :(

Re:DoItYourself

ahh fuck dont worry. i read it again, its a randomly sel4ected port with a fixed tcp window size which makes my last comment a bit st00pid

Re:DoItYourself

[jamesh]

a thought just occured to me. Say there was a vulnerability in tcpdump (which there was). Say you could exploit this vulnerability remotely (which apparantly you could, but I might be thinking of something else). Say you wanted to trick a whole load of people into running tcpdump... one way would be to generate a whole load of strange packets and then announce on a public forum that people could use tcpdump to look at these strange packets... :)

It's so simple!

[Libor+Vanek]

1. Write distributed trojan
2. ???
3. PROFIT!

Re:It's so simple!

[tomstdenis]

1. Use the same fucking joke over and over.
2. ???
3. Jackass!

Re:It's so simple!

[Libor+Vanek]

Yeah... something like that...

Re:It's so simple!

1. Spot duplicate story on Slashdot
2. Copy highly moderated comment from previous story
3. ???
4. KARMA!!

Re:It's so simple!

God I hate the /. cliches, but you made me laugh.

New article title?

[Libor+Vanek]

New /. topic:
Disassembling trojans online

It's the Church of the Subgenius

[Bingo+Foo]

Their "flagship," the S.S.BOB

Uh that's a de-leetified 55808 BTW

Re:It's the Church of the Subgenius

[Destoo]

55808 is actually DA00 in hexa..

And there have been reference to "DAY 0" in previous articles related to that worm...
coinkidink?

Re:It's the Church of the Subgenius

He said it was deleetified, not dehexified.

5 looks like S, 8 looks like B, 0 looks like O, therefore you have

55808
SSBOB

y0u s7up1d f001!! r0x0rz!!

oh and that previous article was stupid, zero day is more of a warez term than a virus term. dumb farks

Re:It's the Church of the Subgenius

[Tycho]

Good, that makes more sense than Zip code 55808 which is the West Duluth area of Duluth, Minnesota.

What's Behind This Odd Dupe?

[GillBates0]

From the BugTraq Post "The information we've been able to gather leads us to believe that the trojan we have captured is not the original source of the 55808 traffic that has been seen, but is rather a "copycat", created to mimic the behavior of another trojan or worm."

The information we've been able to gather leads us to believe that the new article we're seeing is not the original source of the odd Slashdot-generated traffic that has been seen on the Internet, but is rather a "copycat", created to mimic the behavior of another article or story.

CNet article notes conflicting claims

Check out http://news.com.com/2100-1002_3-1019759.html?tag=f d_top about this. Looks like there are some conflicting claims about what this trojan is.

How does it spread?

Every one of these articles mentions that the trojan doesn't self-propagate, it must be installed manually.

So the obvious question that nobody is asking is, "who is installing this thing on all these servers?". It would have to be either (a) one guy with access to Unix servers all over the world, (b) a conspiracy of people who have such access, or (c) somebody is hacking into these servers to install the trojan - which seems like a much more newsworthy story, I would think.

Can somebody explain?

Re:How does it spread?

[freeweed]

The big Samba exploit a couple of months ago left a nice root shell bound to a fixed high port. What's interesting about this is that *many* exploits around the same time shared the same shellcode, and thus the same port.

Doing some casual scanning at the time, I picked up hundreds of boxes with a root (or other user, local privlege escalation anyone?) shell open on that very port. This was only a couple of hours of scanning; imagine what I could have done given a few weeks.

Re:How does it spread?

[Mononoke]

Can somebody explain?

"Automatic Update"?

/M$ bashing.

Re:How does it spread?

I don't know but my posts about Magic Lantern are disappearing from here pdq....

Re:How does it spread?

If Microsoft used NFS, then Samba wouldn't be needed. This is all Microsoft's fault!

Re:How does it spread?

[Master+Bait]

My Spirit Guides inform me that the trojan originates at Orrin Hatch's office.

Re:How does it spread?

[EverLurking]

Well according to the analysis of the "Copy Cat Trojan", it seems like there is some built in "Self Destruct" code in which it tries to delete itself if it looses contact with the IP that it is supposed to be reporting back to.

Could it be possible that the trojan code that they found is only part of the original program minus the infectious portion of the code. ie, self modifying code that deleted the portion of itself that performed the installation of the trojan to make iteself appear NOT to be self propagating? Perhaps the infection took place in two stages, first with a module which was the infecting/self propagating portion which then downloaded the trojan/static scanning portion and then deleted the original module?

Those hacker folks can be quite sneaky eh?

DaveC

Long range network probe

"...ISS also has an analysis."

They can perform packet sniffing and analysis from orbit?

Geez, and to all you naysayers who claim that a reduced two-man crew could not get any science done!

Re:Moderation: Flamebait?

No, -1 No one cares. A dupe gets posted. BFD. A reminder of a previous story once in awhile won't kill you. Just ignore it and it'll go away (off of the front page). Chill. If you can do better, make your own metanews site. This isn't supposed to be a profession suit-and-tie site like CNN, it's a fun project for everyone who runs it. I enjoy the fun project. Now stop wasting people's mod points (or the editor's time) and stop ranting about dupes.

Sincerely,
AC

As silly as it may sound...

[TyrranzzX]

Mabye this guy is looking for something? 224 and up are used for only god knows what.

Re:As silly as it may sound...

[AndroidCat]

Port 224? I don't recall any article mentioning port numbers, other than the program trying services not available. As for what those ports are used for, God and the IANA knows, like here (Of course, since there are no assigned l33t haxor ports, they tend to use whatever they want to.)

Re:As silly as it may sound...

[netfist]

I'd check IANA before bothering $DEITY...

http://www.iana.org/assignments/multicast-addresse s

Analysis

There's an analysis. Why did you think it was a dup, without even reading the f*c?ing title?

ill conceived trojan?

Yes, when night fall comes you, me, and lancelot jump out of the rabbit.
Who?
You, me and Lancelot jump out of the rabb.....,perhaps if we built a large wooden badger.

iptables?

anyone know how to write a rule that will log this kind of packet with iptables?

Re:iptables?

[rastos1]

I don't know if you can block by window size. For sure you can block invalid source IP address or syn to ports you don't have open ...

It's just amazing

[mcrbids]

What I find most amazing is not that these exploits, worms, and trojans exist, or even that there are so many, but rather that there are so few.

We can all thank our favorite dieties (cowboy Neal included) that economics work out such that those who are most capable of writing a true "nutbuster" malware are typically getting paid to write something more productive!

Most of these worms and viruses are pretty lame - I read someplace that over 90% of worms and viruses never propogate enough to be "viable" - they are too ineffective to spread.

The Internet is an amazingly powerful communications medium - but putting your stuff online is somewhat analogous to putting your stuff in the heart of Harlem - since everywhere has a "front door" there.

The state of security on the Internet is bad, and will get worse before it gets better.

Re:It's just amazing

[MyHair]

The state of security on the Internet is bad, and will get worse before it gets better.

That's why I pack my .357 Magnum with hollow point ammo when surfing nowadays.

(Okay, not really, but I was looking at a Bersa Thunder .380 in the gun store yesterday...)

Re:It's just amazing

..but putting your stuff online is somewhat analogous to putting your stuff in the heart of Harlem - since everywhere has a "front door" there.


what the fuck man, I'd rather keep my things in the heart of Harlem than somewhere with less of a sense of community like LA. It's all a matter of befriending the locals- then you don't get touched or at least have a chance at finding out where it went if you do.
Harlem's actually pretty nice - it is just non-white so it gets all the racist shit (like this) thrown on it.
And have you seen the front doors in NYC?? Think 3/8" stainless steel and wrought iron from the 20s and still standing up to it.

In Soviet Russia

[DrSkwid]

The joke is on you

Re:Moderation: Flamebait?

Of course one could argue it stopped being a "fun project" when it was bought out by a corporation and started charging money (yeah yeah voluntary and all, whatever). I accept the fact that dupes can happen every now and then, but if first occurence of the story is three stories down on the frontpage, then it's just carelessness and incompetence.

now this is weird...

[inode_buddha]

Doing a whois on the trojans default IP (12.108.65.76) if it fails to connect and deliver its list yeilds:

AT&T WorldNet Services
12.0.0.0 - 12.255.255.255

MAY SYSTEMS DBA INTERNET CAFFE
12.108.65.64 - 12.108.65.127

Re:now this is weird...

[BrainStain]

This is weirder... 55808 = 0xDA00 = \r\n\null\null in ascii which would look like end of line, end of file to me, having just written a pop3 database. 12.108.65.76 -> \nlAL in ascii could be some word game, like new line, el AL? DA 00, like russian for yes 00 ( may we say 7 ? ) or yes 00 as in the big 00 null null, like the nuke.

Well That does it!

[croftj]

I'm sick of all of the security breaches in Linux. I'm going back to the warmth and security om MS Windows!

Y.A.W.B.T.B (Yet Another Windows Bigot To Be)

Cool!

[timeOday]

How bad is Internet security really? I work with computers for a living, I'm on the Internet almost constantly, and I don't think my life would be noticeably different if the Internet were 100% secure tomorrow. (Except that any practical means to accomplish complete security would probably be very unpleasant in itself).

Re:Cool!

[sigwinch]

...I don't think my life would be noticeably different if the Internet were 100% secure tomorrow.

Do not confuse a low probability event with a low severity event.

Re:Cool!

[MeerCat]

I don't think my life would be noticeably different if the Internet were 100% secure tomorrow

Just because you personally aren't suffering from security problems right now means a secure internet wouldn't appear to change things much, but wait until you've been hit with a security related problem that wasted a week of time / lost you $1,000 / lost you your job / destroyed your credit rating / etc. - suddenly a secure internet becomes much more appealing.

I don't want to sound like I'm being harsh on you, but compare your statement to an extreme like "I don't think immortality is a big thing - I mean, I've been alive 35 years and I haven't died yet..."

Re:Cool!

Care to explain your comment?

I don't disagree, I just don't understand.

Re:Cool!

[ReTay]

The point of the parent was not that the Internet is not 100% secure.
Ever heard of the following project?? Some good coders that got board⦠Care to imagine that would happen to your daily life and work if the Internet dissolved into chaos for a week or so?
This kind of thought would make the worms and such that we have seen till now the kids toys they are.

Over year ago, with couple of friends, we started writing a project, called
'Samhain' (days ago, on packetstorm, I noticed cute program with same name -
in fact it's not the same app, just a coincidence ;). We wanted to see if
it's difficult to write deadly harmful Internet worm, probably much more
dangerous than Morris's worm. Our goals:

1: Portability - worm must be architecture-independent, and should work on
different operating systems (in fact, we focused on Unix/Unix-alikes, but
developed even DOS/Win code).

2: Invisibility - worm must implement stealth/masquerading techniques to hide
itself in live system and stay undetected as long as it's possible.

3: Independence - worm must be able to spread autonomically, with no user
interaction, using built-in exploit database.

4: Learning - worm should be able to learn new exploits and techniques
instantly; by launching one instance of updated worm, all other worms,
using special communication channels (wormnet), should download updated
version.

5: Integrity - single worms and wormnet structure should be really difficult
to trace and modify/intrude/kill (encryption, signing).

6: Polymorphism - worm should be fully polymorphic, with no constant
portion of (specific) code, to avoid detection.

7: Usability - worm should be able to realize chosen mission objectives -
eg. infect chosen system, then download instructions, and, when
mission is completed, simply disappear from all systems.

Magic Lantern or

Some other nations or private organizations resonable facsimile of same.

I don't think the original was script kiddies.

It's an attack (my opinion), in preparation for some more attacks. The US is too vulnerable, and too big to take on directly, cyber warfare is just one of the ways to level the playing field, along with biowarfare attacks and hard-infrastructure direct attacks. The best possible technique for any potential badguys would be "all of the above" and simultaneously.

SARC writeup here....

[VCAGuy]

Symantec AntiVirus Research Center has a write-up on 55808 (they're calling it "Trojan.Linux.Typot") at http://www.sarc.com/avcenter/venc/data/trojan.linu x.typot.html.

Re:SARC writeup here....

[!Squalus]

So, it hit less than 2 sites and less than 49 hosts, yet it gets this much publicity? WTF?

I read the linked article, but I don't believe I read that right.

Re:SARC writeup here....

[GryMor]

Stumbler is not capable of generating the traffic pattern observed in the initial and ongoing network traffic. Stumbler is the copycat that mimics a few of the publicly known charecteristics of still rising window size 55808 traffic with forged damn near everything.

Distribution method?

[gmuslera]

This is not a virus, neither a worm. How one can be er... "infected" by this worm? is available already in rootkits? or distributed with another innocent looking program? This looks like need to be run as root, so have very few ways to spread, mostly depending on the bad behaviour of the system administrator.

If its very widespread (I not did yet the tcpdump trick :) could mean that it could be attached to something in some way popular, or that is in fact a worm (i.e. taking advantage of some vulnerability to spread, and then do the scanning).

Product Name Change

[malia8888]

Press Release: Trojan Condoms will hereinafter be called "Greeks". As any mythology student knows the Greeks and the Trojans in mythology were opponents. The Trojan Company in an effort to distance itself from the "trojans" in the cyber world will change sides in this epic conflict and now refer to their fine product as "Greeks".

Press Release Number Two: Bill's Bait Shop will now refer to their worms as "Fancy Pink Wriggling Fish Food". Bill's Bait Shop, in an effort to distance itself from the "worms" in the cyber world will now refer to their fine product as "Fancy Pink Wriggling Fish Food".

Re:Product Name Change

[nervous_twitch]

This reminds me, I've always thought trojan was a funny name for a condom. After all, when you say "trojan", what do most people think of? The "Trojan Horse".. which was created to get inside of (was it the walls of troy? I can't remember ATM..) Once inside, it burst open and a bunch of people came out of it to wreak havok on the city. Seems to be exactly what you DON'T want a condom to do, doesn't it? :)

other thoughts

[The+Tyro]

as quothe the above poster: "55808 is actually DA00 in hexa"

Or maybe it was written by Warez d00ds

Or perhaps Harry Belafonte has a HUGE fan out there somewhere (let's pretend for a moment)

"DA00! DA00! Daylight come and me wan' go home"

OK... sorry... you may mod me down now.

Re:other thoughts

Man, that was so much better than the bitch post I expected it to be!!!

How convenient

[Animats]

Amazing how all these attacks appear, just annoying enough to make people buy "protection" from companies like McAfee, but not damaging enough to force OS vendors to actually design systems that are secure.

Hmm.

Re:How convenient

[caluml]

Amazing how paranoid some people are :) Go on, what's your take on the JFK thing, or Roswell? :)

Re:How convenient

[Animats]

When was the last arrest of a virus author? 2001? And he turned himself in? Why, with all this "security" effort, aren't more people being caught.

Re:How convenient

[MyHair]

Yeah, I was wondering this as well. Before (or during) Code Red it seems the U.S. athorities were actively hunting down virus writers, even in other countries.

I haven't heard of anything like that since, and there have been a few nasty viruses.

What gives?

Re:How convenient

[ant_slayer]

Dude,

Technically, viruses and trojans will never prompt OS vendors to produce "better" products. This is because a virus or trojan does not necessarily take advantage of OS flaws. This trojan, for example, looks for existing backdoors and takes advantage of them. BAT.mumu and W32.deborm, of recent fame, attacked weak passwords (not weak OSs).

The *concept* of a trojan or virus implies that an idiot user invokes it. If it's the idiot user that introduces the malicious code to the system, then how is that an OS flaw? Is it a flawed OS that lets you run a program?

Viruses and trojans attack social weaknesses -- idiot users that execute attachments in Email, have weak passwords, or download programs from arbitrary web sites.

-Josh O-

Re:How convenient

[Animats]

Viruses and trojans attack social weaknesses -- idiot users that execute attachments in Email, have weak passwords, or download programs from arbitrary web sites.

Wrong answer. The OS should execute external content in an environment where it can't do anything harmful. That's what mandatory security models are for. Look at NSA Secure Linux.

Simple, when you pay...

[Henk+Poley]

...you won't see the dupes :-)

Re:Simple, when you pay...

[Master+of+Transhuman]

No, anybody who pays WILL see the dupes - every time they look in the mirror...

Re:Opps! Taco's spell checker is in his anus again

In his defense it is the spelling of the article submitter; however, in his prosecution it is the job of an "editor" to correct such things.

And to think they actually get paid for this stuff.

Re:Opps! Taco's spell checker is in his anus again

Thanks for that, CAPTAIN FUCKING OBVIOUS!1!!11

Oh the lameness filter is lame. It doesn't take much to get around the lameness filter at all. Yes, I would say the lameness filter is not only somewhat ineffective, it is a real waste of space.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Trace source

[Uber+Banker]

Despite there being no valid origin address in the packet, can't networks get together and pool resources and find out which network (it is a physical link afterall and traceable) passed them the packet, then compile all of these origin sources, then the source would be revealed by point-of-earliest-contact.

Or multiple hosts.

Or do networks not like to get together like this?

I Tell Ya, It's Saddam!

[Master+of+Transhuman]

It's his big move on July 17th!

He's gonna put a big picture of his mug on the White House Web server with his tongue out and an MP3 playing, "Nyah-Nyah-Nyah-Nyah-Nyah"!

George will have apoplexy and croak! And Saddam beats another George Bush again!

FYI

[espo812]

2003-06-22 06:11:55 55808 Trojan Analysis (articles,security) (accepted) That time is GMT. So I submitted it well before the first incarnation of this article was posted. Also, sorry for my bad spelling.

0xDA00

[multipartmixed]

...that would only yield { CR, LF, NUL, NUL } on a system with 4-bit chars.

And, uh, that would be a hard system to get any real work done on, given that there are way more than 15 characters in the alphabet.

Re:0xDA00

[Ex-MislTech]

Maybe DA00 stands for ...

Dark Angel 00

http://www.hackology.com/programs/blackangel/gin fo .shtml

Ex-MislTech

Possibility of Polymorphic

[Ex-MislTech]

It is unlikely, but possible that this is another self
modify piece of code . A piece of code that re-writes
itself after stages of accomplishment .

Once has has infected, remove the infection method so
as to muddle the tracing process .

Like a honey bee leaving it's stinger, but the bee dies .

Part of the code is left to do its part, part is gone .

If the guy is as smart as the person that wrote the Mr. Leaves
worm then he may have it sending the data to a shell account
harvesting on a encrypted network, both encrypted and encoded,
and false positives for the gov to find galore .

Unique approach to be sure .

Peace,
Ex-MislTech

DA00 = Dark Angel 2000 ????

[Ex-MislTech]

just a thought here , might check these links below,
draw your own conclusions .

http://www.hackology.com/programs/blackangel/gin fo .shtml

http://www.sans.org/y2k/123199-945.htm

Excerpt:

A new Trojan called "Black Angel 2000" has come to our attention and in a beta testing phase by a small group of individuals. Check the text below issued by Munga Bunga taken from alt.2600.hackerz. Speculations from this newsgroup claims it could be a hoax but it is should be taken seriously until proven otherwise.

Enclosed is an extract of the letter published by Mumga Bunga. Apparently, there are some copies of the software in use by beta testers. This group has a web site at http://www.hackology.com which provides more information.

Stephen checked yesterday with some of the best people in the US and no one appears to have any insight about this new Trojan and its capability.

It is possible some of the new unknown ports that have been probed in the past week could be associated with this new Trojan. If anyone within the SANS community have noticed any suspicious files, code, etc that maybe associated with this Trojan, please forward copies and any additional information to mailto:handler@incidents.org

The following is an extract taken from alt.2600.hackerz:

Dear prospective Black Angel user.

This document should contain more information regarding the controversially coded program, "Black Angel"!

Currently I can tell you that apart from the fact that the program is going to be amazing in itself, there shall be 3 new concepts in Black Angel,concepts that have never been exploited in such software before.

One of those concepts is the ability to send the server file in the form of MyPic.jpg (with a jpg icon and a jpg extension). This isn't a big deal for us, and we are not referring to it as "revolutionary"! The file would look like a .jpg file in all ICQ transfers, Windows Explorer and Windows Properties (etc), even if they have file extension view enabled, it would still fully look the same (MyPic.jpg). We are yet to test it's appearance in DCC, and we shall soon. Remember I said the file (server) would look like a .jpg file, that shouldn't explicitly refer to any of the files true characteristics, properties or attributes! That's all I'll say regarding this concept.

Remember, we don't think that's a "revolutionary" concept, not at all, it's nothing. Just another concept which would make Black Angel good software.

The other two concepts relate to the "revolutionary move" that Black Angel is taking. I can not say anything else but the following...

The second concept is to do with interface development and real time interactivity between the client program and the user. Here, we are taking the coded GUI to a new level, definitely a level that almost all of you have never even seen before! We are trying to make the program as "human" as possible, you can expect to see some amazing features.

The third concept is to do with hiding your true Identity on the Internet this is by far the most important concept. If you have heard of the freedom project, I can tell you that freedom is NOTHING compared to the "freedom capabilities" of Black Angel! You would be able to do, what you never thought possible. In addition, it's all, obviously free!

Also, our software is being built from scratch, we are worried about the factor of "time", we are trying to meet the deadline. But it's not easy to code, as you can imagine, and it is not a clone of any other lame software product either (for those of you who made such claims).

I know there are some copies of Black Angel floating around, please dispose of them immediately, distribution of our beta software would not be gladly looked upon! Feel free to distribute this letter, however, to those who request more information. Current state: I'm finishing up the remote explorer and

This is the next thing is spamware.

[thogard]

This appears to be research efforts of guys who are working for the big spamers.

What they want to do is be able to crack say 100 well connected servers. Each of those servers will send out packets with a forged source address of the other hacked servers. Some spamers are putting it all in one packet but its trivial to have sendmail check the buffer size after the HELO has come it. No real MTA will send anything extra. (Don't confuse this with Pipelining which allows the rest of the data to be sent in one packet). So now a spamer must send an inital tcp handshake and a HELO packet. If you keep track of the inital sequence number, you can have another server send the rest of the data.

Most firewalls don't deal with this well. Some MTA's will have issues as well and it may find ways through spam filters. Keep in mind most firewalls only check the 1st packets and once the stream is set up, it just passes the packets through without any other checks.

The solution to this is to get major ISPs to not send packets where both addresses aren't in their space but that will be bad news for dual homed sites.

Re:Opps! Taco's spell checker is in his anus again

"And to think they actually get paid for this stuff."

When you`ve stopped whining and put years of your life into something, you get to correct mistakes, charge people, whatever.

Until then, get back in line and STFU.

asteroids?

[ChristTrekker]

I looked at this subject and thought it was about a Trojan asteroid. Me: "Why is this important enough for Slashdot? And why isn't it in the science section?" 55808 was discovered in 1994, but I don't know if it's a Trojan or not.

Listening for this is HARD

[billstewart]

Listening for these things is hard, because they're not something routers are particularly good at, and big core routers are especially not good at it. Listening for IP destinations is easy - core routers usually don't do much more than this, and neither do gateway routers between bigger ISPs. Listening for IP sources is harder, and often burns CPU, and listening for TCP or UDP ports is even more likely to burn router CPU, but is still something routers aren't too bad at. Listening for TCP window size is probably not possible (my Cisco manuals aren't handy right now...). You can do this stuff with TCPDUMP on a computer, but that's not the same thing. Edge routers can do some filtering, because there are more of them and they're handling smaller pipes, but it's still tought to do efficiently.

Better-managed ISPs do filter incoming packets to make sure they're not spoofing the origin address (there's a relatively efficient hack to do this on Cisco routers), but that's usually an accept-or-drop thing that doesn't make it easy to log more than the number of rejects, not the details about them. That strongly limits the kind of spoofing that an end user can do, though it doesn't kill it entirely (e.g. an end-user with a T1 and a Class C /24 address group can pretend to be any of the 254 host addresses at the site, but can't pretend to be from anywhere else.)

A better place to measure this kind of data is the customer-premises router or firewall - if the ISP is managing it, then they can do it, or if the customer's managing it themselves, then it's their problem. For DSL users, the router at the POP might be able to do it.

... sell karma on eBay ....

[billstewart]

You're missing the "sell karma on eBay" step which lets you get to "... Profit!!"

8. multi vector.

[oliverthered]

The worm could should use as many proporgation methods as possible.

General wormyness.
Mass mailing.
Embeding in HTML files.
Even macro viruses.

6. on polymorphism, why not get the worm to recompile it's self if it finds a compiler on the host.