55808 Trojan Analysis

← Back to Stories (view on slashdot.org)

Posted by CmdrTaco on Sunday June 22, 2003 @03:16AM from the crawling-about-in-the-digital-wild dept.

espo812 writes "This analysis of the 55808 trojan that has been circling the internet was just posted on Bugtraq . The good news (i guess?) is that apparentally it is just a proof of concept distributed scanner. The bad news is they think they just caught a copycat version of the origional trojan. ISS also has an analysis."

7 of 118 comments (clear)

Min score:

Reason:

Sort:

This is quite a clever trojan by rf0 · 2003-06-22 03:20 · Score: 5, Informative

In that as a port scanner normally has to set the desitantion address on the packets to itself to get the results. Along with this packet it also might send out 100's of spoofs. This one on the other hand send out nothing but forged packets

However as its listening in promiscous mode it detects other packets from other trojans that have the network its on as the spoof address and the collects those results.

This is what makes its so hard to find,for one reaons

Rus

--
Cheap UK and US VPS
DoItYourself by graf0z · 2003-06-22 03:27 · Score: 5, Informative

Analyse (like here ) the target IPs & ports for Yourself:
$ screen tcpdump -w /tmp/55808.dump -s1500 -n -i eth0 'tcp and tcp[14:2] = 55808' &

If You have enough IPs, You'll see the gimmick ...
/graf0z.
1. Re:DoItYourself by graf0z · 2003-06-22 04:14 · Score: 2, Informative
  
  Just in case you are serious: You need tcpdump (and screen) to be installed for that command line to work. Instead, install a packetsniffer of Your choice (like windump) and tell it to grab tcp-packets with tcp-header "window size" set to 55808.
  You could avoid a lot of trouble, if You installed a more usable operating system before. I expect a networking OS distribution to ship with a packetsniffer.
  /graf0z.
CNet article notes conflicting claims by Anonymous Coward · 2003-06-22 03:55 · Score: 3, Informative

Check out http://news.com.com/2100-1002_3-1019759.html?tag=f d_top about this. Looks like there are some conflicting claims about what this trojan is.
Re:As silly as it may sound... by AndroidCat · 2003-06-22 05:13 · Score: 2, Informative

Port 224? I don't recall any article mentioning port numbers, other than the program trying services not available. As for what those ports are used for, God and the IANA knows, like here (Of course, since there are no assigned l33t haxor ports, they tend to use whatever they want to.)

--
One line blog. I hear that they're called Twitters now.
now this is weird... by inode_buddha · 2003-06-22 05:34 · Score: 2, Informative

Doing a whois on the trojans default IP (12.108.65.76) if it fails to connect and deliver its list yeilds:

AT&T WorldNet Services
12.0.0.0 - 12.255.255.255

MAY SYSTEMS DBA INTERNET CAFFE
12.108.65.64 - 12.108.65.127

--
C|N>K
SARC writeup here.... by VCAGuy · 2003-06-22 06:32 · Score: 4, Informative

Symantec AntiVirus Research Center has a write-up on 55808 (they're calling it "Trojan.Linux.Typot") at http://www.sarc.com/avcenter/venc/data/trojan.linu x.typot.html.

--
Q: "Why do sound techs say 'check 1, 2'?"
A: "Cause if they could count any higher they'd be lighting techs."