55808 Trojan Analysis

espo812 writes "This analysis of the 55808 trojan that has been circling the internet was just posted on Bugtraq . The good news (i guess?) is that apparentally it is just a proof of concept distributed scanner. The bad news is they think they just caught a copycat version of the origional trojan. ISS also has an analysis."

It's just amazing

[mcrbids]

What I find most amazing is not that these exploits, worms, and trojans exist, or even that there are so many, but rather that there are so few.

We can all thank our favorite dieties (cowboy Neal included) that economics work out such that those who are most capable of writing a true "nutbuster" malware are typically getting paid to write something more productive!

Most of these worms and viruses are pretty lame - I read someplace that over 90% of worms and viruses never propogate enough to be "viable" - they are too ineffective to spread.

The Internet is an amazingly powerful communications medium - but putting your stuff online is somewhat analogous to putting your stuff in the heart of Harlem - since everywhere has a "front door" there.

The state of security on the Internet is bad, and will get worse before it gets better.

Distribution method?

[gmuslera]

This is not a virus, neither a worm. How one can be er... "infected" by this worm? is available already in rootkits? or distributed with another innocent looking program? This looks like need to be run as root, so have very few ways to spread, mostly depending on the bad behaviour of the system administrator.

If its very widespread (I not did yet the tcpdump trick :) could mean that it could be attached to something in some way popular, or that is in fact a worm (i.e. taking advantage of some vulnerability to spread, and then do the scanning).