Slashdot Mirror

← Back to Stories (view on slashdot.org)

55808 Trojan Analysis

Posted by CmdrTaco on from the crawling-about-in-the-digital-wild dept.

espo812 writes "This analysis of the 55808 trojan that has been circling the internet was just posted on Bugtraq . The good news (i guess?) is that apparentally it is just a proof of concept distributed scanner. The bad news is they think they just caught a copycat version of the origional trojan. ISS also has an analysis."

12 of 118 comments (clear)

  1. Related Information by Scoria · · Score: 5, Funny

    Timothy published related information this morning. Perhaps "55808" is attempting to locate Slashdot duplicates. ;-)

    --
    Do you like German cars?
  2. This is quite a clever trojan by rf0 · · Score: 5, Informative

    In that as a port scanner normally has to set the desitantion address on the packets to itself to get the results. Along with this packet it also might send out 100's of spoofs. This one on the other hand send out nothing but forged packets

    However as its listening in promiscous mode it detects other packets from other trojans that have the network its on as the spoof address and the collects those results.

    This is what makes its so hard to find,for one reaons

    Rus

    --
    Cheap UK and US VPS
  3. DoItYourself by graf0z · · Score: 5, Informative
    Analyse (like here ) the target IPs & ports for Yourself:
    $ screen tcpdump -w /tmp/55808.dump -s1500 -n -i eth0 'tcp and tcp[14:2] = 55808' &

    If You have enough IPs, You'll see the gimmick ...

    /graf0z.

  4. Re:It's so simple! by tomstdenis · · Score: 5, Funny

    1. Use the same fucking joke over and over.
    2. ???
    3. Jackass!

    --
    Someday, I'll have a real sig.
  5. It's the Church of the Subgenius by Bingo+Foo · · Score: 5, Funny

    Their "flagship," the S.S.BOB

    Uh that's a de-leetified 55808 BTW

    --
    taken! (by Davidleeroth) Thanks Bingo Foo!
  6. What's Behind This Odd Dupe? by GillBates0 · · Score: 5, Funny
    From the BugTraq Post "The information we've been able to gather leads us to believe that the trojan we have captured is not the original source of the 55808 traffic that has been seen, but is rather a "copycat", created to mimic the behavior of another trojan or worm."

    The information we've been able to gather leads us to believe that the new article we're seeing is not the original source of the odd Slashdot-generated traffic that has been seen on the Internet, but is rather a "copycat", created to mimic the behavior of another article or story.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  7. Re:It's so simple! by Anonymous Coward · · Score: 4, Funny

    1. Spot duplicate story on Slashdot
    2. Copy highly moderated comment from previous story
    3. ???
    4. KARMA!!

  8. Long range network probe by Anonymous Coward · · Score: 4, Funny

    "...ISS also has an analysis."

    They can perform packet sniffing and analysis from orbit?

    Geez, and to all you naysayers who claim that a reduced two-man crew could not get any science done!

  9. Re:How does it spread? by freeweed · · Score: 5, Interesting

    The big Samba exploit a couple of months ago left a nice root shell bound to a fixed high port. What's interesting about this is that *many* exploits around the same time shared the same shellcode, and thus the same port.

    Doing some casual scanning at the time, I picked up hundreds of boxes with a root (or other user, local privlege escalation anyone?) shell open on that very port. This was only a couple of hours of scanning; imagine what I could have done given a few weeks.

    --
    Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
  10. It's just amazing by mcrbids · · Score: 4, Insightful

    What I find most amazing is not that these exploits, worms, and trojans exist, or even that there are so many, but rather that there are so few.

    We can all thank our favorite dieties (cowboy Neal included) that economics work out such that those who are most capable of writing a true "nutbuster" malware are typically getting paid to write something more productive!

    Most of these worms and viruses are pretty lame - I read someplace that over 90% of worms and viruses never propogate enough to be "viable" - they are too ineffective to spread.

    The Internet is an amazingly powerful communications medium - but putting your stuff online is somewhat analogous to putting your stuff in the heart of Harlem - since everywhere has a "front door" there.

    The state of security on the Internet is bad, and will get worse before it gets better.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  11. SARC writeup here.... by VCAGuy · · Score: 4, Informative

    Symantec AntiVirus Research Center has a write-up on 55808 (they're calling it "Trojan.Linux.Typot") at http://www.sarc.com/avcenter/venc/data/trojan.linu x.typot.html.

    --
    Q: "Why do sound techs say 'check 1, 2'?"
    A: "Cause if they could count any higher they'd be lighting techs."
  12. Product Name Change by malia8888 · · Score: 5, Funny
    Press Release: Trojan Condoms will hereinafter be called "Greeks". As any mythology student knows the Greeks and the Trojans in mythology were opponents. The Trojan Company in an effort to distance itself from the "trojans" in the cyber world will change sides in this epic conflict and now refer to their fine product as "Greeks".

    Press Release Number Two: Bill's Bait Shop will now refer to their worms as "Fancy Pink Wriggling Fish Food". Bill's Bait Shop, in an effort to distance itself from the "worms" in the cyber world will now refer to their fine product as "Fancy Pink Wriggling Fish Food".

    --
    Harpo Tunnel Syndrome--my wrist feels funny.