[Dshield] Interesting article

Joe Stewart jstewart at lurhq.com
Mon Jun 16 19:35:04 GMT 2003

On Monday 16 June 2003 02:56 pm, Deb Hale wrote:
> http://www.eweek.com/article2/0,3959,1126770,00.asp
> Excerpt from article:
> Security researchers believe they have identified a new breed of Trojan
> horse that is infecting machines on the Internet, possibly in preparation
> for a larger coordinated attack.
> The program scans random IP addresses and sends a probe in the form of a
> TCP SYN request with a window size that is always 55808.

I find the whole press release questionable. The first article they were in
on gcn.com says the trojan responds to packets with a window size of 55808.
This one says it scans with that window size. It seems that Lancope doesn't
really even know how it works, or couldn't accurately convey that to
reporters. And they don't seem to be sharing any more details with the
security community, just using it as an excuse to plug their anomaly detection
product. If this trojan really is as big a threat as they say, they should 
release a full analysis or give it to someone who can.

In the meantime, I've looked historically at logs of this traffic dating back
to January. Until last month, we saw the window size 55808 in normal 
broadscan-type traffic to well-known ports. This would suggest a scanning
tool is in circulation using this window size as a default. It seems plausible
that Lancope found an ordinary raw IP trojan that is part of a backdoor kit
and includes this scanning tool as part of the package. Even so, raw IP
trojans are not new; Craig Baltes posted a writeup of the Q trojan last year,
which is a far stealthier trojan that what they have described.

The only thing that can't be reasonably explained in the rash of traffic we
are currently seeing is why it has seemingly bogus source addresses and
repeats the probes to limited destination addresses which sometimes don't
exist and have never had a host on them. If this was a covert channel as 
they suggest, it's not very covert - sending traffic to the entire internet to 
reach a handful of zombies. 

I'm not saying that Lancope is necessarily wrong, but - where's the rest of
the details we need to protect ourselves and our users from this threat? Has
anyone found any actual code to corroborate what Lancope is saying?


Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation

More information about the list mailing list