From: slpl at madinfo.pt (slpl@...info.pt)
Subject: Intrusec 55808 Trojan Analysis

Hello David,

Friday, June 20, 2003, 12:09:37 AM, you wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> Intrusec Alert: 55808 Trojan Analysis

> June 19, 2003

> Introduction:

> Intrusec has completed an initial analysis of a trojan that appears to
> be one of several that is responsible for generating substantial
> scanning traffic across 
> the Internet with a TCP window size of 55808. The trojan we have
> isolated 
> appears to match many of the characteristics that others in the security

> community have reported for this trojan.  However, we do not believe
> that the 
> specific trojan we have identified is the sole source of the traffic
> generated, 
> and do not know that it is a primary source. 

> The information we've been able to gather leads us to believe that the
> trojan we 
> have captured is not the original source of the 55808 traffic that has
> been 
> seen, but is rather a "copycat", created to mimic the behavior of
> another trojan 
> or worm.  The behavior of this copycat appears to be based on press
> releases, 
> news articles, and mailing lists that described its hypothetical
> behavior and 
> known output. Nonetheless, this copycat trojan appears to be actively
> deployed 
> on systems across the Internet and is something security professionals
> should be 
> aware of.

> Details contained in this analysis will be updated, and linked to linked
> to 
> numerous analyses that will be done by other security researchers, as
> they 
> become available. Please visit and link to
> http://www.intrusec.com/55808.html 
> to receive the latest information available regarding this trojan.

> There is apt to be great discussion about the nature of this "trojan"
> and 
> whether in fact it is accurately characterized as a trojan, backdoor,
> zombie, 
> or worm. While the specific binaries we have captured are probably
> described 
> as a trojan or zombie, there is no assurance that other variants of this
> trojan 
> may not be far more malicious in nature and contain worm or backdoor 
> functionality. We are referring to the trojan we have captured, and the 
> presumed other existing trojans generating similar traffic as "55808
> Trojans," 
> and the specific binary we have analyzed as "55808 Trojan - Variant A."
> All 
> discussion in our analysis section refers specifically to the 'A'
> variant we 
> have captured.
 

> Analysis:

> This trojan aims to be a distributed port scanner whose presence is very

> difficult to detect.  It port scans random addresses across the IP
> address 
> space, with a random source address also spoofed.  By spoofing the
> source 
> address, the trojan is able to avoid easy detection, but it also means
> it 
> can not receive the results of the TCP SYN that is sent.  However, since
> the 
> trojan also sniffs the network it is on in promiscuous mode, it is
> likely, 
> over time, to pick up scans from other installations of trojans that
> randomly 
> selected a source address that happened to be on its subnet.  As the
> number of 
> trojans installed across the Internet grows, more spoofed packets will
> be sent 
> out by each trojan, and more of the spoofed source addresses will be
> captured 
> by other trojans.  

> Each time a reply to a trojan is seen, indicating an open port has been
> found, 
> it is written to a file and saved.  Daily, the trojan will then deliver
> the 
> list of open ports it recorded while sniffing to a file and deliver that
> file 
> to a predefined IP address.

> In addition, a specially crafted packet can be sent to the subnet the
> trojan 
> is listening on which contains in its sequence number the IP address the

> trojan should deliver the open port list to daily.

> Finally, the trojan contains a feature whereby if it fails to connect to
> the 
> IP address it is supposed to deliver its open ports list to, it will 
> automatically attempt to remove itself from the system.

> The trojan we have identified has been a file named 'a' that resides in 
> /tmp/.../a on the filesystem.  Its packet collection activity monitors
> for 
> any packet with a window size of 55808 and records all packets matching
> that 
> window size.  The packet capture is written to its current directory 
> (/tmp/.../ typically) in a file named 'r'. 

> There is a default IP address of 12.108.65.76 that the trojan attempts
> to 
> make a standard connection (not spoofed) to on TCP port 22 and deliver
> the 
> packet capture after it has been running for 24 hours, however this
> appears 
> to have been randomly selected as it is not an active system on the
> Internet, 
> and it is dynamically modifiable by a packet that can be sent to the
> trojan.

> If a packet is captured that contains a window size of 55808 and a TCP
> option 
> window scale of 2, the trojan will take the sequence number of the
> packet that 
> was received and change the IP address that it delivers the packet
> captures to 
> on a daily basis to the sequence number of that address.

> Network administrators can over the course of a day identify the
> location of 
> this trojan on their network by delivering a packet of the form
> described 
> above pointing towards their own port 22 server.  So long as no further
> packets 
> redirecting the trojan again are discovered (if they are, another packet
> could 
> be delivered to overwrite it, or more optimally these specially crafted
> packets 
> should be filtered by a firewall), within 24 hours the trojan should
> attempt to connect to your server.

> While a novel concept, this trojan seems largely to have been written as
> a 
> proof of concept relative to the ideas Lancope described as a '3rd
> generation 
> trojan.'  Other than generating large amounts of network traffic, it
> contains 
> no self-replicating or malicious behavior, and a few high-speed port
> scans 
> from compromised host would be a far more effective and efficient means
> to map 
> open ports on the Internet than this type of trojan.

> We have only observed the trojan on Linux systems to date.  However, the

> program itself is quite portable to other unix variants, so it is
> possible if 
> not likely that it may also exist on other unix distributions.  It is
> also 
> possible that the 'original' trojan is Windows-based.

> The trojan appears to be installed on a system either manually, or
> through an 
> external exploit that is unrelated to the trojan itself.  There is no
> exploit 
> code or means to install itself on a host built-in to the trojan itself.


> It is easy to identify that a system on your network has been infected
> with 
> this or a related trojan due to its extremely noisy network activity it 
> generates with TCP packets with a window size of 55808.  However, other 
> legitimate services may intentionally or incidentally also send packets
> with 
> this same window size, so do not solely rely upon the presence of such a

> packet as guaranteeing the existence of such a trojan.  

> Security vendors who claim that identifying massive quantities of port 
> scanning originating from their network as a unique feature of their 
> software should be taken with a grain of salt.  It is more difficult to 
> identify the specific system on your network that has been infected with
> this 
> trojan due to its spoofing activities other than for its daily
> non-spoofed 
> connection to remote port 22.  Tools that can assist you in locating the

> actual physical source of these spoofed packets (through looking at MAC 
> addresses and ARPs) may be quite useful.  There is apt to be a great
> deal of 
> discussion in the general techniques that can be used to locate it, a
> good 
> starting resource for this is "Tracking Down the Phantom Host" by John
> Payton 
> available at http://www.securityfocus.com/infocus/1705. 
 

> For Expos? Users:

> Users of Expos? that take advantage of its SSH authenticated
> differential 
> signatures can detect new default installations of this trojan on their 
> systems by creating a custom SSH differential signature that looks for
> the appearance of a /tmp/.../ directory on systems being monitored.  See
> the 
> Expos? help for more information on using SSH authentication.

> - From the main user interface, select 'Configure App Layer
> Differentials' 
> from the Tools menu, click 'Add' under the checks box, and then enter a
> new 
> check with the following settings:

>           Name: 55808 Trojan
>       Priority: High
>           Type: SSH, Simple
> Challenge Text: echo check;ls /tmp/.../
>     Port Range: 22

> If that file appears on the filesystem of any of the hosts being
> monitored by Expos? and with SSH authentication configured, an alert
> will be created.  
> Note this is only useful for default installations of the trojan.


> Additional Links:

> http://www.securityfocus.com/archive/75
> http://www.eweek.com/article2/0,3959,1130759,00.asp
> http://gcn.com/vol1_no1/daily-updates/22371-1.html
> http://www.lancope.com/news/Virus_Alert_Trojan.htm
 

> About Intrusec:

> The best way to prevent intrusions is to find and eliminate
> vulnerabilities 
> before they can be exploited.  Intrusec has been built on the belief
> that 
> continuous network change detection is a core technology that will
> assist 
> administrators in managing the security of their networks and should be
> a 
> part of any comprehensive security framework.  Utilizing Intrusec's
> product, 
> along with those from other commercial and free sources, can assist in 
> limiting the breadth and time your network may be exposed to the type of

> vulnerabilities being exploited to install malicious software such as
> the 
> 55808 Trojan.

> Intrusec, Inc. was founded in January 2002 to build a new kind of
> security 
> software that provides continuous detection of changes occurring on a
> network. Intrusec's first product, Expos?, brings this technology vision
> to fruition. 
> Using Intrusec's unique Differential Detection Technology, Expos? can
> detect 
> changes on a network at all of the IP, application, and web services
> layers 
> of today's modern networks and works with existing vulnerability
> assessment 
> products to help administrators identify specific vulnerabilities.
> Expos? is 
> currently in beta testing and is available for download now.

> This document is not to be edited or altered in any way without the
> express written consent of Intrusec, Inc..  You may provide links to
> this document 
> from your web site, and you may make copies of this document in
> accordance 
> with the fair use doctrine of the U.S. copyright laws. 

> Use of this information constitutes acceptance for use in an as is
> condition. 
> There are no warranties, implied or otherwise, with regard to this
> information 
> or its use. Any use of this information is at the user's risk. In no
> event 
> shall Intrusec be held liable for any damages arising in connection with
> the 
> use of this information.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)

> iD8DBQE+8hwVZ+G9DfVcBDsRAr0lAJ9mXL0+B45WQNrbDuVeFYI7a94h4gCfdYUk
> zCh609i/6uRrJ70+GlInnuk=
> =NdlI
> -----END PGP SIGNATURE-----

> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
+++++++++++++++++++++++++++++
gpg: armor header: Hash: SHA1
gpg: original file name=''
gpg: armor header: Version: GnuPG v1.2.2 (MingW32)
gpg: Signature made 06/19/03 21:24:53  using DSA key ID F55C043B
gpg: requesting key F55C043B from x-hkp://sks.keyserver.penguin.de
gpg: armor header: Version: SKS 1.0.3
gpg: pub  1024D/F55C043B 2003-06-19   Intrusec, Inc. <security@...rusec.com>
gpg: key F55C043B: public key "Intrusec, Inc. <security@...rusec.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: BAD signature from "Intrusec, Inc. <security@...rusec.com>"
gpg: textmode signature, digest algorithm SHA1
+++++++++++++++++++++++++++++

Same here; bad signature


-- 
Best regards,
 slpl                      <mailto:slpl@...info.pt>

Powered by blists - more mailing lists