[Dshield] sdbot variant and port 55808 activity

Yevette Maurer yevettem at gsmt.com
Thu Jun 19 17:14:28 GMT 2003


I just receive this email today on this very subject...

Trojan Picks Up Steam, Baffles Experts
http://www.eweek.com/article2/0,3959,1130754,00.asp

By Dennis Fisher
June 18, 2003

A new Trojan that has been making its way around the Internet in
recent weeks continues to baffle security experts, who have been
unable to get a good handle on its behavior.

The Trojan apparently made its first appearance around May 16 and
began randomly scanning Internet-connected machines. The scanning was
slow at first but has begun to pick up speed in recent days as more
machines have become infected. Researchers at Internet Security
Systems Inc. in Atlanta have been seeing nearly 3,000 scans an hour on
Tuesday across the entire address space that the company monitors.

The Trojan scans random ports on random machines, each time sending an
initial SYN packet. One of the few identifiable characteristics of the
program is a window size of 55808 on each of the packets it transmits.
It also spoofs the originating IP address on all of the packets,
making them look as if they're coming from machines in unallocated
name space.

ISS has been tracking the Trojan for about a month and has yet to find
a copy of its code or successfully trace it back to an infected
machine. Other security vendors and officials at the Department of
Homeland Security are also tracking the Trojan, all without any luck
so far.

"We still don't have a good idea where it's going or if it's
communicating with anyone," said Pete Allor, manager of X-Force Threat
Intelligence Services at ISS. "I don't want to say I'm close, but I'm
closer than I was yesterday."

Researchers have been frustrated by the Trojan's random behavior,
which has helped it elude capture. One of the few nuggets of
information that experts have at this point is that a portion of the
hex code in the packets the Trojan sends contains the term "day 0." In
security circles, the phrase "zero day" is often used to describe
attacks on vulnerabilities that have just been discovered.

Despite the problems tracking the Trojan so far, Allor believes it's
only a matter of time before someone gets a handle on it. When he does
find it, Allor is eager to peek into the Trojan's code and see what
makes it tick.

"This is a new one. It piqued our curiosity really quick," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
in the BODY of the mail.

-----Original Message-----
From: Joe Stewart [mailto:jstewart at lurhq.com]
Sent: Wednesday, June 18, 2003 7:45 AM
To: intrusions at incidents.org
Cc: incidents at securityfocus.com; list at dshield.org
Subject: [Dshield] sdbot variant and port 55808 activity


While researching an IRC zombie infection for a third party, I came across
a variant of sdbot which is hard-coded to send TCP packets with a window
size of 55808 in its spoofed-synflooding function. Could this be the
"next-gen" trojan that Lancope found? If so, it redefines the term next-gen,
because sdbot is pretty much old-school.

The particular variant I found is _not_ the well known "sdbot SYN edition"
by Tesla. The packet construction subroutine is entirely different. Based on
what I have seen here and in the firewall logs from as far back as January,
I feel that  there is a snippet of C being re-used in the underground and it
uses a default window size of 55808. I've seen it used in broadscanning,
and now as a synflooder.

Here is an example command used in the IRC control channel to start a
synflood with this version of sdbot. 192.168.1.21 is the address to be
spoofed while attacking 192.168.1.1:

$syn 192.168.1.1 6000 20 192.168.1.21 6666

Here is a capture of some of the resulting packets:

07:26:51.048897 192.168.1.21.6666 > 192.168.1.1.6000: S
693933104:693933104(0)
win 55808
0x0000   4500 0028 0a34 0000 8006 ad35 c0a8 0115        E..(.4.....5....
0x0010   c0a8 0101 1a0a 1770 295c 9430 0000 0000        .......p)\.0....
0x0020   5002 da00 6374 0000 0000 0000 0000             P...ct........

07:26:51.049000 192.168.1.21.6666 > 192.168.1.1.6000: S
3950185482:3950185482(0) win 55808
0x0000   4500 0028 0a35 0000 8006 ad34 c0a8 0115        E..(.5.....4....
0x0010   c0a8 0101 1a0a 1770 eb73 0c0a 0000 0000        .......p.s......
0x0020   5002 da00 2983 0000 0000 0000 0000             P...).........

07:26:51.049096 192.168.1.21.6666 > 192.168.1.1.6000: S
2692113931:2692113931(0) win 55808
0x0000   4500 0028 0a36 0000 8006 ad33 c0a8 0115        E..(.6.....3....
0x0010   c0a8 0101 1a0a 1770 a076 660b 0000 0000        .......p.vf.....
0x0020   5002 da00 1a7f 0000 0000 0000 0000             P.............

I have passed the binaries I have found along to the AV community, so
anti-virus signatures at least for the variants I have found should be
forthcoming.

Of course, this still doesn't explain the weird source and destination
IP addresses and ports we are seeing since last month, but based on
this I seriously doubt it is a covert channel. Maybe someone is just
testing a new implementation of the synscanning code in a distributed
manner, and has some bugs to work out.

-Joe

--
Joe Stewart, GCIH
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/




More information about the list mailing list