Hello David, Friday, June 20, 2003, 12:09:37 AM, you wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > Intrusec Alert: 55808 Trojan Analysis > June 19, 2003 > Introduction: > Intrusec has completed an initial analysis of a trojan that appears to > be one of several that is responsible for generating substantial > scanning traffic across > the Internet with a TCP window size of 55808. The trojan we have > isolated > appears to match many of the characteristics that others in the security > community have reported for this trojan. However, we do not believe > that the > specific trojan we have identified is the sole source of the traffic > generated, > and do not know that it is a primary source. > The information we've been able to gather leads us to believe that the > trojan we > have captured is not the original source of the 55808 traffic that has > been > seen, but is rather a "copycat", created to mimic the behavior of > another trojan > or worm. The behavior of this copycat appears to be based on press > releases, > news articles, and mailing lists that described its hypothetical > behavior and > known output. Nonetheless, this copycat trojan appears to be actively > deployed > on systems across the Internet and is something security professionals > should be > aware of. > Details contained in this analysis will be updated, and linked to linked > to > numerous analyses that will be done by other security researchers, as > they > become available. Please visit and link to > http://www.intrusec.com/55808.html > to receive the latest information available regarding this trojan. > There is apt to be great discussion about the nature of this "trojan" > and > whether in fact it is accurately characterized as a trojan, backdoor, > zombie, > or worm. While the specific binaries we have captured are probably > described > as a trojan or zombie, there is no assurance that other variants of this > trojan > may not be far more malicious in nature and contain worm or backdoor > functionality. We are referring to the trojan we have captured, and the > presumed other existing trojans generating similar traffic as "55808 > Trojans," > and the specific binary we have analyzed as "55808 Trojan - Variant A." > All > discussion in our analysis section refers specifically to the 'A' > variant we > have captured. > Analysis: > This trojan aims to be a distributed port scanner whose presence is very > difficult to detect. It port scans random addresses across the IP > address > space, with a random source address also spoofed. By spoofing the > source > address, the trojan is able to avoid easy detection, but it also means > it > can not receive the results of the TCP SYN that is sent. However, since > the > trojan also sniffs the network it is on in promiscuous mode, it is > likely, > over time, to pick up scans from other installations of trojans that > randomly > selected a source address that happened to be on its subnet. As the > number of > trojans installed across the Internet grows, more spoofed packets will > be sent > out by each trojan, and more of the spoofed source addresses will be > captured > by other trojans. > Each time a reply to a trojan is seen, indicating an open port has been > found, > it is written to a file and saved. Daily, the trojan will then deliver > the > list of open ports it recorded while sniffing to a file and deliver that > file > to a predefined IP address. > In addition, a specially crafted packet can be sent to the subnet the > trojan > is listening on which contains in its sequence number the IP address the > trojan should deliver the open port list to daily. > Finally, the trojan contains a feature whereby if it fails to connect to > the > IP address it is supposed to deliver its open ports list to, it will > automatically attempt to remove itself from the system. > The trojan we have identified has been a file named 'a' that resides in > /tmp/.../a on the filesystem. Its packet collection activity monitors > for > any packet with a window size of 55808 and records all packets matching > that > window size. The packet capture is written to its current directory > (/tmp/.../ typically) in a file named 'r'. > There is a default IP address of 12.108.65.76 that the trojan attempts > to > make a standard connection (not spoofed) to on TCP port 22 and deliver > the > packet capture after it has been running for 24 hours, however this > appears > to have been randomly selected as it is not an active system on the > Internet, > and it is dynamically modifiable by a packet that can be sent to the > trojan. > If a packet is captured that contains a window size of 55808 and a TCP > option > window scale of 2, the trojan will take the sequence number of the > packet that > was received and change the IP address that it delivers the packet > captures to > on a daily basis to the sequence number of that address. > Network administrators can over the course of a day identify the > location of > this trojan on their network by delivering a packet of the form > described > above pointing towards their own port 22 server. So long as no further > packets > redirecting the trojan again are discovered (if they are, another packet > could > be delivered to overwrite it, or more optimally these specially crafted > packets > should be filtered by a firewall), within 24 hours the trojan should > attempt to connect to your server. > While a novel concept, this trojan seems largely to have been written as > a > proof of concept relative to the ideas Lancope described as a '3rd > generation > trojan.' Other than generating large amounts of network traffic, it > contains > no self-replicating or malicious behavior, and a few high-speed port > scans > from compromised host would be a far more effective and efficient means > to map > open ports on the Internet than this type of trojan. > We have only observed the trojan on Linux systems to date. However, the > program itself is quite portable to other unix variants, so it is > possible if > not likely that it may also exist on other unix distributions. It is > also > possible that the 'original' trojan is Windows-based. > The trojan appears to be installed on a system either manually, or > through an > external exploit that is unrelated to the trojan itself. There is no > exploit > code or means to install itself on a host built-in to the trojan itself. > It is easy to identify that a system on your network has been infected > with > this or a related trojan due to its extremely noisy network activity it > generates with TCP packets with a window size of 55808. However, other > legitimate services may intentionally or incidentally also send packets > with > this same window size, so do not solely rely upon the presence of such a > packet as guaranteeing the existence of such a trojan. > Security vendors who claim that identifying massive quantities of port > scanning originating from their network as a unique feature of their > software should be taken with a grain of salt. It is more difficult to > identify the specific system on your network that has been infected with > this > trojan due to its spoofing activities other than for its daily > non-spoofed > connection to remote port 22. Tools that can assist you in locating the > actual physical source of these spoofed packets (through looking at MAC > addresses and ARPs) may be quite useful. There is apt to be a great > deal of > discussion in the general techniques that can be used to locate it, a > good > starting resource for this is "Tracking Down the Phantom Host" by John > Payton > available at http://www.securityfocus.com/infocus/1705. > For Expos� Users: > Users of Expos� that take advantage of its SSH authenticated > differential > signatures can detect new default installations of this trojan on their > systems by creating a custom SSH differential signature that looks for > the appearance of a /tmp/.../ directory on systems being monitored. See > the > Expos� help for more information on using SSH authentication. > - From the main user interface, select 'Configure App Layer > Differentials' > from the Tools menu, click 'Add' under the checks box, and then enter a > new > check with the following settings: > Name: 55808 Trojan > Priority: High > Type: SSH, Simple > Challenge Text: echo check;ls /tmp/.../ > Port Range: 22 > If that file appears on the filesystem of any of the hosts being > monitored by Expos� and with SSH authentication configured, an alert > will be created. > Note this is only useful for default installations of the trojan. > Additional Links: > http://www.securityfocus.com/archive/75 > http://www.eweek.com/article2/0,3959,1130759,00.asp > http://gcn.com/vol1_no1/daily-updates/22371-1.html > http://www.lancope.com/news/Virus_Alert_Trojan.htm > About Intrusec: > The best way to prevent intrusions is to find and eliminate > vulnerabilities > before they can be exploited. Intrusec has been built on the belief > that > continuous network change detection is a core technology that will > assist > administrators in managing the security of their networks and should be > a > part of any comprehensive security framework. Utilizing Intrusec's > product, > along with those from other commercial and free sources, can assist in > limiting the breadth and time your network may be exposed to the type of > vulnerabilities being exploited to install malicious software such as > the > 55808 Trojan. > Intrusec, Inc. was founded in January 2002 to build a new kind of > security > software that provides continuous detection of changes occurring on a > network. Intrusec's first product, Expos�, brings this technology vision > to fruition. > Using Intrusec's unique Differential Detection Technology, Expos� can > detect > changes on a network at all of the IP, application, and web services > layers > of today's modern networks and works with existing vulnerability > assessment > products to help administrators identify specific vulnerabilities. > Expos� is > currently in beta testing and is available for download now. > This document is not to be edited or altered in any way without the > express written consent of Intrusec, Inc.. You may provide links to > this document > from your web site, and you may make copies of this document in > accordance > with the fair use doctrine of the U.S. copyright laws. > Use of this information constitutes acceptance for use in an as is > condition. > There are no warranties, implied or otherwise, with regard to this > information > or its use. Any use of this information is at the user's risk. In no > event > shall Intrusec be held liable for any damages arising in connection with > the > use of this information. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (MingW32) > iD8DBQE+8hwVZ+G9DfVcBDsRAr0lAJ9mXL0+B45WQNrbDuVeFYI7a94h4gCfdYUk > zCh609i/6uRrJ70+GlInnuk= > =NdlI > -----END PGP SIGNATURE----- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html +++++++++++++++++++++++++++++ gpg: armor header: Hash: SHA1 gpg: original file name='' gpg: armor header: Version: GnuPG v1.2.2 (MingW32) gpg: Signature made 06/19/03 21:24:53 using DSA key ID F55C043B gpg: requesting key F55C043B from x-hkp://sks.keyserver.penguin.de gpg: armor header: Version: SKS 1.0.3 gpg: pub 1024D/F55C043B 2003-06-19 Intrusec, Inc. <[EMAIL PROTECTED]> gpg: key F55C043B: public key "Intrusec, Inc. <[EMAIL PROTECTED]>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: BAD signature from "Intrusec, Inc. <[EMAIL PROTECTED]>" gpg: textmode signature, digest algorithm SHA1 +++++++++++++++++++++++++++++ Same here; bad signature -- Best regards, slpl <mailto:[EMAIL PROTECTED]> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
