Slashdot Mirror
55808 Trojan Analysis
espo812 writes "This analysis of the 55808 trojan that has been circling the internet was just posted on Bugtraq . The good news (i guess?) is that apparentally it is just a proof of concept distributed scanner. The bad news is they think they just caught a copycat version of the origional trojan. ISS also has an analysis."
So the obvious question that nobody is asking is, "who is installing this thing on all these servers?". It would have to be either (a) one guy with access to Unix servers all over the world, (b) a conspiracy of people who have such access, or (c) somebody is hacking into these servers to install the trojan - which seems like a much more newsworthy story, I would think.
Can somebody explain?
Mabye this guy is looking for something? 224 and up are used for only god knows what.
Candy-Coated Knowledge
Hmm.
The point of the parent was not that the Internet is not 100% secure.
;). We wanted to see if
Ever heard of the following project?? Some good coders that got board⦠Care to imagine that would happen to your daily life and work if the Internet dissolved into chaos for a week or so?
This kind of thought would make the worms and such that we have seen till now the kids toys they are.
Over year ago, with couple of friends, we started writing a project, called
'Samhain' (days ago, on packetstorm, I noticed cute program with same name -
in fact it's not the same app, just a coincidence
it's difficult to write deadly harmful Internet worm, probably much more
dangerous than Morris's worm. Our goals:
1: Portability - worm must be architecture-independent, and should work on
different operating systems (in fact, we focused on Unix/Unix-alikes, but
developed even DOS/Win code).
2: Invisibility - worm must implement stealth/masquerading techniques to hide
itself in live system and stay undetected as long as it's possible.
3: Independence - worm must be able to spread autonomically, with no user
interaction, using built-in exploit database.
4: Learning - worm should be able to learn new exploits and techniques
instantly; by launching one instance of updated worm, all other worms,
using special communication channels (wormnet), should download updated
version.
5: Integrity - single worms and wormnet structure should be really difficult
to trace and modify/intrude/kill (encryption, signing).
6: Polymorphism - worm should be fully polymorphic, with no constant
portion of (specific) code, to avoid detection.
7: Usability - worm should be able to realize chosen mission objectives -
eg. infect chosen system, then download instructions, and, when
mission is completed, simply disappear from all systems.
It is unlikely, but possible that this is another self .
.
.
.
.
.
modify piece of code . A piece of code that re-writes
itself after stages of accomplishment
Once has has infected, remove the infection method so
as to muddle the tracing process
Like a honey bee leaving it's stinger, but the bee dies
Part of the code is left to do its part, part is gone
If the guy is as smart as the person that wrote the Mr. Leaves
worm then he may have it sending the data to a shell account
harvesting on a encrypted network, both encrypted and encoded,
and false positives for the gov to find galore
Unique approach to be sure
Peace,
Ex-MislTech
google "32 trillion offshore needs IRS attention"
just a thought here , might check these links below, .
.shtml
.jpg file in all ICQ transfers, Windows Explorer and Windows Properties (etc), even if they have file extension view enabled, it would still fully look the same (MyPic.jpg). We are yet to test it's appearance in DCC, and we shall soon. Remember I said the file (server) would look like a .jpg file, that shouldn't explicitly refer to any of the files true characteristics, properties or attributes! That's all I'll say regarding this concept.
draw your own conclusions
http://www.hackology.com/programs/blackangel/gin fo
http://www.sans.org/y2k/123199-945.htm
Excerpt:
A new Trojan called "Black Angel 2000" has come to our attention and in a beta testing phase by a small group of individuals. Check the text below issued by Munga Bunga taken from alt.2600.hackerz. Speculations from this newsgroup claims it could be a hoax but it is should be taken seriously until proven otherwise.
Enclosed is an extract of the letter published by Mumga Bunga. Apparently, there are some copies of the software in use by beta testers. This group has a web site at http://www.hackology.com which provides more information.
Stephen checked yesterday with some of the best people in the US and no one appears to have any insight about this new Trojan and its capability.
It is possible some of the new unknown ports that have been probed in the past week could be associated with this new Trojan. If anyone within the SANS community have noticed any suspicious files, code, etc that maybe associated with this Trojan, please forward copies and any additional information to mailto:handler@incidents.org
The following is an extract taken from alt.2600.hackerz:
Dear prospective Black Angel user.
This document should contain more information regarding the controversially coded program, "Black Angel"!
Currently I can tell you that apart from the fact that the program is going to be amazing in itself, there shall be 3 new concepts in Black Angel,concepts that have never been exploited in such software before.
One of those concepts is the ability to send the server file in the form of MyPic.jpg (with a jpg icon and a jpg extension). This isn't a big deal for us, and we are not referring to it as "revolutionary"! The file would look like a
Remember, we don't think that's a "revolutionary" concept, not at all, it's nothing. Just another concept which would make Black Angel good software.
The other two concepts relate to the "revolutionary move" that Black Angel is taking. I can not say anything else but the following...
The second concept is to do with interface development and real time interactivity between the client program and the user. Here, we are taking the coded GUI to a new level, definitely a level that almost all of you have never even seen before! We are trying to make the program as "human" as possible, you can expect to see some amazing features.
The third concept is to do with hiding your true Identity on the Internet this is by far the most important concept. If you have heard of the freedom project, I can tell you that freedom is NOTHING compared to the "freedom capabilities" of Black Angel! You would be able to do, what you never thought possible. In addition, it's all, obviously free!
Also, our software is being built from scratch, we are worried about the factor of "time", we are trying to meet the deadline. But it's not easy to code, as you can imagine, and it is not a clone of any other lame software product either (for those of you who made such claims).
I know there are some copies of Black Angel floating around, please dispose of them immediately, distribution of our beta software would not be gladly looked upon! Feel free to distribute this letter, however, to those who request more information. Current state: I'm finishing up the remote explorer and
google "32 trillion offshore needs IRS attention"
Indeed, but it seems to be sending them almost randomly across the internet...
Why does it need another trojan to do the job? If it's listening in on the network, why not just send a packet to the host it wants to find information about? Sure, it can still forge the source IP address (hence stay just as anonymous), but that would be a much more effecient method of scanning hosts, rather than sitting around and waiting until some other trojan elsewhere just happens to luck out and hit a machine on a network with another trojan. Of course, I'm assuming there is no central coordination between them... If there is, that would be a very good system (but then they could be traced to a single point).
I really don't see why... Send a message to the largest ISPs, and tell them to be listening for all packets that match the description that are _outbound_. Once they've found one, the ISP can obviously determine where it really came from, and get a copy of everything on the source computer. Seems like that would be easy enough to track down. I'll be logging all packets that fit the bill myself, but with most of my systems on private IPs, I don't suspect I'll have very much luck.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This appears to be research efforts of guys who are working for the big spamers.
What they want to do is be able to crack say 100 well connected servers. Each of those servers will send out packets with a forged source address of the other hacked servers. Some spamers are putting it all in one packet but its trivial to have sendmail check the buffer size after the HELO has come it. No real MTA will send anything extra. (Don't confuse this with Pipelining which allows the rest of the data to be sent in one packet). So now a spamer must send an inital tcp handshake and a HELO packet. If you keep track of the inital sequence number, you can have another server send the rest of the data.
Most firewalls don't deal with this well. Some MTA's will have issues as well and it may find ways through spam filters. Keep in mind most firewalls only check the 1st packets and once the stream is set up, it just passes the packets through without any other checks.
The solution to this is to get major ISPs to not send packets where both addresses aren't in their space but that will be bad news for dual homed sites.