Slashdot Mirror
55808 Trojan Analysis
espo812 writes "This analysis of the 55808 trojan that has been circling the internet was just posted on Bugtraq . The good news (i guess?) is that apparentally it is just a proof of concept distributed scanner. The bad news is they think they just caught a copycat version of the origional trojan. ISS also has an analysis."
Timothy published related information this morning. Perhaps "55808" is attempting to locate Slashdot duplicates. ;-)
Do you like German cars?
In that as a port scanner normally has to set the desitantion address on the packets to itself to get the results. Along with this packet it also might send out 100's of spoofs. This one on the other hand send out nothing but forged packets
However as its listening in promiscous mode it detects other packets from other trojans that have the network its on as the spoof address and the collects those results.
This is what makes its so hard to find,for one reaons
Rus
Cheap UK and US VPS
If You have enough IPs, You'll see the gimmick ...
1. Use the same fucking joke over and over.
2. ???
3. Jackass!
Someday, I'll have a real sig.
Their "flagship," the S.S.BOB
Uh that's a de-leetified 55808 BTW
taken! (by Davidleeroth) Thanks Bingo Foo!
The information we've been able to gather leads us to believe that the new article we're seeing is not the original source of the odd Slashdot-generated traffic that has been seen on the Internet, but is rather a "copycat", created to mimic the behavior of another article or story.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
1. Spot duplicate story on Slashdot
2. Copy highly moderated comment from previous story
3. ???
4. KARMA!!
Check out http://news.com.com/2100-1002_3-1019759.html?tag=f d_top about this. Looks like there are some conflicting claims about what this trojan is.
So the obvious question that nobody is asking is, "who is installing this thing on all these servers?". It would have to be either (a) one guy with access to Unix servers all over the world, (b) a conspiracy of people who have such access, or (c) somebody is hacking into these servers to install the trojan - which seems like a much more newsworthy story, I would think.
Can somebody explain?
"...ISS also has an analysis."
They can perform packet sniffing and analysis from orbit?
Geez, and to all you naysayers who claim that a reduced two-man crew could not get any science done!
Mabye this guy is looking for something? 224 and up are used for only god knows what.
Candy-Coated Knowledge
What I find most amazing is not that these exploits, worms, and trojans exist, or even that there are so many, but rather that there are so few.
We can all thank our favorite dieties (cowboy Neal included) that economics work out such that those who are most capable of writing a true "nutbuster" malware are typically getting paid to write something more productive!
Most of these worms and viruses are pretty lame - I read someplace that over 90% of worms and viruses never propogate enough to be "viable" - they are too ineffective to spread.
The Internet is an amazingly powerful communications medium - but putting your stuff online is somewhat analogous to putting your stuff in the heart of Harlem - since everywhere has a "front door" there.
The state of security on the Internet is bad, and will get worse before it gets better.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Doing a whois on the trojans default IP (12.108.65.76) if it fails to connect and deliver its list yeilds:
AT&T WorldNet Services
12.0.0.0 - 12.255.255.255
MAY SYSTEMS DBA INTERNET CAFFE
12.108.65.64 - 12.108.65.127
C|N>K
I'm sick of all of the security breaches in Linux. I'm going back to the warmth and security om MS Windows!
Y.A.W.B.T.B (Yet Another Windows Bigot To Be)
-- Many men would appreciate a woman's mind more if they could fondle it
-- ;-)
Kuro5hin.org: where the good times never end.
Symantec AntiVirus Research Center has a write-up on 55808 (they're calling it "Trojan.Linux.Typot") at http://www.sarc.com/avcenter/venc/data/trojan.linu x.typot.html.
Q: "Why do sound techs say 'check 1, 2'?"
A: "Cause if they could count any higher they'd be lighting techs."
If its very widespread (I not did yet the tcpdump trick :) could mean that it could be attached to something in some way popular, or that is in fact a worm (i.e. taking advantage of some vulnerability to spread, and then do the scanning).
I don't think my life would be noticeably different if the Internet were 100% secure tomorrow
Just because you personally aren't suffering from security problems right now means a secure internet wouldn't appear to change things much, but wait until you've been hit with a security related problem that wasted a week of time / lost you $1,000 / lost you your job / destroyed your credit rating / etc. - suddenly a secure internet becomes much more appealing.
I don't want to sound like I'm being harsh on you, but compare your statement to an extreme like "I don't think immortality is a big thing - I mean, I've been alive 35 years and I haven't died yet..."
I spent a lot of money on booze, birds and fast cars. The rest I just squandered. - George Best
Press Release Number Two: Bill's Bait Shop will now refer to their worms as "Fancy Pink Wriggling Fish Food". Bill's Bait Shop, in an effort to distance itself from the "worms" in the cyber world will now refer to their fine product as "Fancy Pink Wriggling Fish Food".
Harpo Tunnel Syndrome--my wrist feels funny.
Hmm.
...that would only yield { CR, LF, NUL, NUL } on a system with 4-bit chars.
And, uh, that would be a hard system to get any real work done on, given that there are way more than 15 characters in the alphabet.
Do daemons dream of electric sleep()?
The point of the parent was not that the Internet is not 100% secure.
;). We wanted to see if
Ever heard of the following project?? Some good coders that got board⦠Care to imagine that would happen to your daily life and work if the Internet dissolved into chaos for a week or so?
This kind of thought would make the worms and such that we have seen till now the kids toys they are.
Over year ago, with couple of friends, we started writing a project, called
'Samhain' (days ago, on packetstorm, I noticed cute program with same name -
in fact it's not the same app, just a coincidence
it's difficult to write deadly harmful Internet worm, probably much more
dangerous than Morris's worm. Our goals:
1: Portability - worm must be architecture-independent, and should work on
different operating systems (in fact, we focused on Unix/Unix-alikes, but
developed even DOS/Win code).
2: Invisibility - worm must implement stealth/masquerading techniques to hide
itself in live system and stay undetected as long as it's possible.
3: Independence - worm must be able to spread autonomically, with no user
interaction, using built-in exploit database.
4: Learning - worm should be able to learn new exploits and techniques
instantly; by launching one instance of updated worm, all other worms,
using special communication channels (wormnet), should download updated
version.
5: Integrity - single worms and wormnet structure should be really difficult
to trace and modify/intrude/kill (encryption, signing).
6: Polymorphism - worm should be fully polymorphic, with no constant
portion of (specific) code, to avoid detection.
7: Usability - worm should be able to realize chosen mission objectives -
eg. infect chosen system, then download instructions, and, when
mission is completed, simply disappear from all systems.
It is unlikely, but possible that this is another self .
.
.
.
.
.
modify piece of code . A piece of code that re-writes
itself after stages of accomplishment
Once has has infected, remove the infection method so
as to muddle the tracing process
Like a honey bee leaving it's stinger, but the bee dies
Part of the code is left to do its part, part is gone
If the guy is as smart as the person that wrote the Mr. Leaves
worm then he may have it sending the data to a shell account
harvesting on a encrypted network, both encrypted and encoded,
and false positives for the gov to find galore
Unique approach to be sure
Peace,
Ex-MislTech
google "32 trillion offshore needs IRS attention"
just a thought here , might check these links below, .
.shtml
.jpg file in all ICQ transfers, Windows Explorer and Windows Properties (etc), even if they have file extension view enabled, it would still fully look the same (MyPic.jpg). We are yet to test it's appearance in DCC, and we shall soon. Remember I said the file (server) would look like a .jpg file, that shouldn't explicitly refer to any of the files true characteristics, properties or attributes! That's all I'll say regarding this concept.
draw your own conclusions
http://www.hackology.com/programs/blackangel/gin fo
http://www.sans.org/y2k/123199-945.htm
Excerpt:
A new Trojan called "Black Angel 2000" has come to our attention and in a beta testing phase by a small group of individuals. Check the text below issued by Munga Bunga taken from alt.2600.hackerz. Speculations from this newsgroup claims it could be a hoax but it is should be taken seriously until proven otherwise.
Enclosed is an extract of the letter published by Mumga Bunga. Apparently, there are some copies of the software in use by beta testers. This group has a web site at http://www.hackology.com which provides more information.
Stephen checked yesterday with some of the best people in the US and no one appears to have any insight about this new Trojan and its capability.
It is possible some of the new unknown ports that have been probed in the past week could be associated with this new Trojan. If anyone within the SANS community have noticed any suspicious files, code, etc that maybe associated with this Trojan, please forward copies and any additional information to mailto:handler@incidents.org
The following is an extract taken from alt.2600.hackerz:
Dear prospective Black Angel user.
This document should contain more information regarding the controversially coded program, "Black Angel"!
Currently I can tell you that apart from the fact that the program is going to be amazing in itself, there shall be 3 new concepts in Black Angel,concepts that have never been exploited in such software before.
One of those concepts is the ability to send the server file in the form of MyPic.jpg (with a jpg icon and a jpg extension). This isn't a big deal for us, and we are not referring to it as "revolutionary"! The file would look like a
Remember, we don't think that's a "revolutionary" concept, not at all, it's nothing. Just another concept which would make Black Angel good software.
The other two concepts relate to the "revolutionary move" that Black Angel is taking. I can not say anything else but the following...
The second concept is to do with interface development and real time interactivity between the client program and the user. Here, we are taking the coded GUI to a new level, definitely a level that almost all of you have never even seen before! We are trying to make the program as "human" as possible, you can expect to see some amazing features.
The third concept is to do with hiding your true Identity on the Internet this is by far the most important concept. If you have heard of the freedom project, I can tell you that freedom is NOTHING compared to the "freedom capabilities" of Black Angel! You would be able to do, what you never thought possible. In addition, it's all, obviously free!
Also, our software is being built from scratch, we are worried about the factor of "time", we are trying to meet the deadline. But it's not easy to code, as you can imagine, and it is not a clone of any other lame software product either (for those of you who made such claims).
I know there are some copies of Black Angel floating around, please dispose of them immediately, distribution of our beta software would not be gladly looked upon! Feel free to distribute this letter, however, to those who request more information. Current state: I'm finishing up the remote explorer and
google "32 trillion offshore needs IRS attention"
This appears to be research efforts of guys who are working for the big spamers.
What they want to do is be able to crack say 100 well connected servers. Each of those servers will send out packets with a forged source address of the other hacked servers. Some spamers are putting it all in one packet but its trivial to have sendmail check the buffer size after the HELO has come it. No real MTA will send anything extra. (Don't confuse this with Pipelining which allows the rest of the data to be sent in one packet). So now a spamer must send an inital tcp handshake and a HELO packet. If you keep track of the inital sequence number, you can have another server send the rest of the data.
Most firewalls don't deal with this well. Some MTA's will have issues as well and it may find ways through spam filters. Keep in mind most firewalls only check the 1st packets and once the stream is set up, it just passes the packets through without any other checks.
The solution to this is to get major ISPs to not send packets where both addresses aren't in their space but that will be bad news for dual homed sites.