[Dshield] Re: sdbot variant and WS 55808 activity

Richard Ginski rginski at co.pinellas.fl.us
Thu Jun 19 15:55:49 GMT 2003


Some additional info. The mention of "Day 0" might be of concern.

http://www.eweek.com/article2/0,3959,1130765,00.asp

>>> jstewart at lurhq.com 6/18/2003 10:45:08 AM >>>
While researching an IRC zombie infection for a third party, I came
across
a variant of sdbot which is hard-coded to send TCP packets with a
window
size of 55808 in its spoofed-synflooding function. Could this be the
"next-gen" trojan that Lancope found? If so, it redefines the term
next-gen,
because sdbot is pretty much old-school.

The particular variant I found is _not_ the well known "sdbot SYN
edition" 
by Tesla. The packet construction subroutine is entirely different.
Based on
what I have seen here and in the firewall logs from as far back as
January, 
I feel that  there is a snippet of C being re-used in the underground
and it
uses a default window size of 55808. I've seen it used in
broadscanning, 
and now as a synflooder.

Here is an example command used in the IRC control channel to start a 
synflood with this version of sdbot. 192.168.1.21 is the address to be
spoofed while attacking 192.168.1.1:

$syn 192.168.1.1 6000 20 192.168.1.21 6666

Here is a capture of some of the resulting packets:

07:26:51.048897 192.168.1.21.6666 > 192.168.1.1.6000: S
693933104:693933104(0) 
win 55808
0x0000   4500 0028 0a34 0000 8006 ad35 c0a8 0115       
E..(.4.....5....
0x0010   c0a8 0101 1a0a 1770 295c 9430 0000 0000       
.......p)\.0....
0x0020   5002 da00 6374 0000 0000 0000 0000             P...ct........

07:26:51.049000 192.168.1.21.6666 > 192.168.1.1.6000: S 
3950185482:3950185482(0) win 55808
0x0000   4500 0028 0a35 0000 8006 ad34 c0a8 0115       
E..(.5.....4....
0x0010   c0a8 0101 1a0a 1770 eb73 0c0a 0000 0000       
.......p.s......
0x0020   5002 da00 2983 0000 0000 0000 0000             P...).........

07:26:51.049096 192.168.1.21.6666 > 192.168.1.1.6000: S 
2692113931:2692113931(0) win 55808
0x0000   4500 0028 0a36 0000 8006 ad33 c0a8 0115       
E..(.6.....3....
0x0010   c0a8 0101 1a0a 1770 a076 660b 0000 0000       
.......p.vf.....
0x0020   5002 da00 1a7f 0000 0000 0000 0000             P.............

I have passed the binaries I have found along to the AV community, so 
anti-virus signatures at least for the variants I have found should be
forthcoming. 

Of course, this still doesn't explain the weird source and destination

IP addresses and ports we are seeing since last month, but based on
this I seriously doubt it is a covert channel. Maybe someone is just 
testing a new implementation of the synscanning code in a distributed 
manner, and has some bugs to work out.

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/ 

_______________________________________________
list mailing list
list at dshield.org 
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list