Slashdot Mirror

← Back to Stories (view on slashdot.org)

55808 Trojan Analysis

Posted by CmdrTaco on from the crawling-about-in-the-digital-wild dept.

espo812 writes "This analysis of the 55808 trojan that has been circling the internet was just posted on Bugtraq . The good news (i guess?) is that apparentally it is just a proof of concept distributed scanner. The bad news is they think they just caught a copycat version of the origional trojan. ISS also has an analysis."

3 of 118 comments (clear)

  1. This is quite a clever trojan by rf0 · · Score: 5, Informative

    In that as a port scanner normally has to set the desitantion address on the packets to itself to get the results. Along with this packet it also might send out 100's of spoofs. This one on the other hand send out nothing but forged packets

    However as its listening in promiscous mode it detects other packets from other trojans that have the network its on as the spoof address and the collects those results.

    This is what makes its so hard to find,for one reaons

    Rus

    --
    Cheap UK and US VPS
  2. DoItYourself by graf0z · · Score: 5, Informative
    Analyse (like here ) the target IPs & ports for Yourself:
    $ screen tcpdump -w /tmp/55808.dump -s1500 -n -i eth0 'tcp and tcp[14:2] = 55808' &

    If You have enough IPs, You'll see the gimmick ...

    /graf0z.

  3. SARC writeup here.... by VCAGuy · · Score: 4, Informative

    Symantec AntiVirus Research Center has a write-up on 55808 (they're calling it "Trojan.Linux.Typot") at http://www.sarc.com/avcenter/venc/data/trojan.linu x.typot.html.

    --
    Q: "Why do sound techs say 'check 1, 2'?"
    A: "Cause if they could count any higher they'd be lighting techs."