CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 951
Comments: 28
block bottom
spacer spacer
image 55808 Trojan Analysis image
Trojans
Intrusec's detailed analysis: This Trojan aims to be a distributed port scanner whose presence is very difficult to detect. It port scans random addresses across the IP address space, with a random source address also spoofed. By spoofing the source address, the Trojan is able to avoid easy detection, but it also means it can not receive the results of the TCP SYN that is sent. However, since the Trojan also sniffs the network it is on in promiscuous mode, it is likely, over time, to pick up scans from other installations of Trojans that randomly selected a source address that happened to be on its subnet. As the number of Trojans installed across the Internet grows, more spoofed packets will be sent out by each Trojan, and more of the spoofed source addresses will be captured by other Trojans.

Each time a reply to a Trojan is seen, indicating an open port has been found, it is written to a file and saved. Daily, the Trojan will then deliver the list of open ports it recorded while sniffing to a file and deliver that file to a predefined IP address.

In addition, a specially crafted packet can be sent to the subnet the Trojan is listening on which contains in its sequence number the IP address the Trojan should deliver the open port list to daily. However, in the current incarnations of this Trojan this functionality appears to be disabled.

Finally, the Trojan contains a feature whereby if it fails to connect to the IP address it is supposed to deliver its open ports list to, it will automatically attempt to remove itself from the system.

The Trojan we have identified has been a file named 'a' that resides in /tmp/.../a on the file system. Its packet collection activity monitors for any packet with a window size of 55808 and records all packets matching that window size. The packet capture is written to its current directory (/tmp/.../ typically) in a file named 'r'.

There is a default IP address of 12.108.65.76 that the Trojan attempts to make a standard connection (not spoofed) to on TCP port 22 and deliver the packet capture after it has been running for 24 hours, however this appears to have been randomly selected as it is not an active system on the Internet, and it is potentially dynamically modifiable by a packet that can be sent to the Trojan.

The Trojan appears to contain some functionality to change the IP address it delivers its packet captures to, but this functionality is not operational in the Trojan we have obtained. It appears the stubbed out code, if activated, would function as follows: If a packet is captured that contains a window size of 55808 and a TCP option window scale of 2, the Trojan modifies the IP address packet captures are delivered to based on the sequence number of that packet.

While a novel concept, this Trojan seems largely to have been written as a proof of concept relative to the ideas Lancope described as a '3rd generation Trojan.' Other than generating large amounts of network traffic, it contains no self-replicating or malicious behavior, and a few high-speed port scans from compromised host would be a far more effective and efficient means to map open ports on the Internet than this type of Trojan.

We have only observed the Trojan on Linux systems to date. However, the program itself is quite portable to other UNIX variants, so it is possible if not likely that it may also exist on other UNIX distributions. It is also possible that the 'original' Trojan is Windows-based.

The Trojan appears to be installed on a system either manually, or through an external exploit that is unrelated to the Trojan itself. There is no exploit code or means to install itself on a host built-in to the Trojan itself. It is easy to identify that a system on your network has been infected with this or a related Trojan due to its extremely noisy network activity it generates with TCP packets with a window size of 55808. However, other legitimate services may intentionally or incidentally also send packets with this same window size, so do not solely rely upon the presence of such a packet as guaranteeing the existence of such a Trojan. Security vendors who claim that identifying massive quantities of port scanning originating from their network as a unique feature of their software should be taken with a grain of salt. It is more difficult to identify the specific system on your network that has been infected with this Trojan due to its spoofing activities other than for its daily non-spoofed connection to remote port 22. Tools that can assist you in locating the actual physical source of these spoofed packets (through looking at MAC addresses and ARPs) may be quite useful.

Please visit and link to http://www.intrusec.com/55808.html to receive the latest information available regarding this Trojan.

Additional Links: http://www.eweek.com/article2/0,3959,1130759,00.asp
http://gcn.com/vol1_no1/daily-updates/22371-1.html
http://www.lancope.com/news/Virus_Alert_Trojan.htm
Posted on Monday, 23 June 2003 @ 10:11:26 UTC by Paul (1727 reads)
[ Trackback ]		image

"55808 Trojan Analysis" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register
 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· Linux.com
· Microsoft
· HotScripts
· Linux Manuals
· W3 Consortium
· More about Trojans
· News by Paul

Most read story about Trojans:
Newest WMF Exploit Patch Saves the Day
block bottom
Article Rating
spacer
Average Score: 5
Votes: 1


Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
184ppm 0.142s (0.005s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer