[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <210275139.20030620115918@ciber-mail.com>
From: slpl at madinfo.pt (slpl@...info.pt)
Subject: Intrusec 55808 Trojan Analysis
Hello David,
Friday, June 20, 2003, 12:09:37 AM, you wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Intrusec Alert: 55808 Trojan Analysis
> June 19, 2003
> Introduction:
> Intrusec has completed an initial analysis of a trojan that appears to
> be one of several that is responsible for generating substantial
> scanning traffic across
> the Internet with a TCP window size of 55808. The trojan we have
> isolated
> appears to match many of the characteristics that others in the security
> community have reported for this trojan. However, we do not believe
> that the
> specific trojan we have identified is the sole source of the traffic
> generated,
> and do not know that it is a primary source.
> The information we've been able to gather leads us to believe that the
> trojan we
> have captured is not the original source of the 55808 traffic that has
> been
> seen, but is rather a "copycat", created to mimic the behavior of
> another trojan
> or worm. The behavior of this copycat appears to be based on press
> releases,
> news articles, and mailing lists that described its hypothetical
> behavior and
> known output. Nonetheless, this copycat trojan appears to be actively
> deployed
> on systems across the Internet and is something security professionals
> should be
> aware of.
> Details contained in this analysis will be updated, and linked to linked
> to
> numerous analyses that will be done by other security researchers, as
> they
> become available. Please visit and link to
> http://www.intrusec.com/55808.html
> to receive the latest information available regarding this trojan.
> There is apt to be great discussion about the nature of this "trojan"
> and
> whether in fact it is accurately characterized as a trojan, backdoor,
> zombie,
> or worm. While the specific binaries we have captured are probably
> described
> as a trojan or zombie, there is no assurance that other variants of this
> trojan
> may not be far more malicious in nature and contain worm or backdoor
> functionality. We are referring to the trojan we have captured, and the
> presumed other existing trojans generating similar traffic as "55808
> Trojans,"
> and the specific binary we have analyzed as "55808 Trojan - Variant A."
> All
> discussion in our analysis section refers specifically to the 'A'
> variant we
> have captured.
> Analysis:
> This trojan aims to be a distributed port scanner whose presence is very
> difficult to detect. It port scans random addresses across the IP
> address
> space, with a random source address also spoofed. By spoofing the
> source
> address, the trojan is able to avoid easy detection, but it also means
> it
> can not receive the results of the TCP SYN that is sent. However, since
> the
> trojan also sniffs the network it is on in promiscuous mode, it is
> likely,
> over time, to pick up scans from other installations of trojans that
> randomly
> selected a source address that happened to be on its subnet. As the
> number of
> trojans installed across the Internet grows, more spoofed packets will
> be sent
> out by each trojan, and more of the spoofed source addresses will be
> captured
> by other trojans.
> Each time a reply to a trojan is seen, indicating an open port has been
> found,
> it is written to a file and saved. Daily, the trojan will then deliver
> the
> list of open ports it recorded while sniffing to a file and deliver that
> file
> to a predefined IP address.
> In addition, a specially crafted packet can be sent to the subnet the
> trojan
> is listening on which contains in its sequence number the IP address the
> trojan should deliver the open port list to daily.
> Finally, the trojan contains a feature whereby if it fails to connect to
> the
> IP address it is supposed to deliver its open ports list to, it will
> automatically attempt to remove itself from the system.
> The trojan we have identified has been a file named 'a' that resides in
> /tmp/.../a on the filesystem. Its packet collection activity monitors
> for
> any packet with a window size of 55808 and records all packets matching
> that
> window size. The packet capture is written to its current directory
> (/tmp/.../ typically) in a file named 'r'.
> There is a default IP address of 12.108.65.76 that the trojan attempts
> to
> make a standard connection (not spoofed) to on TCP port 22 and deliver
> the
> packet capture after it has been running for 24 hours, however this
> appears
> to have been randomly selected as it is not an active system on the
> Internet,
> and it is dynamically modifiable by a packet that can be sent to the
> trojan.
> If a packet is captured that contains a window size of 55808 and a TCP
> option
> window scale of 2, the trojan will take the sequence number of the
> packet that
> was received and change the IP address that it delivers the packet
> captures to
> on a daily basis to the sequence number of that address.
> Network administrators can over the course of a day identify the
> location of
> this trojan on their network by delivering a packet of the form
> described
> above pointing towards their own port 22 server. So long as no further
> packets
> redirecting the trojan again are discovered (if they are, another packet
> could
> be delivered to overwrite it, or more optimally these specially crafted
> packets
> should be filtered by a firewall), within 24 hours the trojan should
> attempt to connect to your server.
> While a novel concept, this trojan seems largely to have been written as
> a
> proof of concept relative to the ideas Lancope described as a '3rd
> generation
> trojan.' Other than generating large amounts of network traffic, it
> contains
> no self-replicating or malicious behavior, and a few high-speed port
> scans
> from compromised host would be a far more effective and efficient means
> to map
> open ports on the Internet than this type of trojan.
> We have only observed the trojan on Linux systems to date. However, the
> program itself is quite portable to other unix variants, so it is
> possible if
> not likely that it may also exist on other unix distributions. It is
> also
> possible that the 'original' trojan is Windows-based.
> The trojan appears to be installed on a system either manually, or
> through an
> external exploit that is unrelated to the trojan itself. There is no
> exploit
> code or means to install itself on a host built-in to the trojan itself.
> It is easy to identify that a system on your network has been infected
> with
> this or a related trojan due to its extremely noisy network activity it
> generates with TCP packets with a window size of 55808. However, other
> legitimate services may intentionally or incidentally also send packets
> with
> this same window size, so do not solely rely upon the presence of such a
> packet as guaranteeing the existence of such a trojan.
> Security vendors who claim that identifying massive quantities of port
> scanning originating from their network as a unique feature of their
> software should be taken with a grain of salt. It is more difficult to
> identify the specific system on your network that has been infected with
> this
> trojan due to its spoofing activities other than for its daily
> non-spoofed
> connection to remote port 22. Tools that can assist you in locating the
> actual physical source of these spoofed packets (through looking at MAC
> addresses and ARPs) may be quite useful. There is apt to be a great
> deal of
> discussion in the general techniques that can be used to locate it, a
> good
> starting resource for this is "Tracking Down the Phantom Host" by John
> Payton
> available at http://www.securityfocus.com/infocus/1705.
> For Expos? Users:
> Users of Expos? that take advantage of its SSH authenticated
> differential
> signatures can detect new default installations of this trojan on their
> systems by creating a custom SSH differential signature that looks for
> the appearance of a /tmp/.../ directory on systems being monitored. See
> the
> Expos? help for more information on using SSH authentication.
> - From the main user interface, select 'Configure App Layer
> Differentials'
> from the Tools menu, click 'Add' under the checks box, and then enter a
> new
> check with the following settings:
> Name: 55808 Trojan
> Priority: High
> Type: SSH, Simple
> Challenge Text: echo check;ls /tmp/.../
> Port Range: 22
> If that file appears on the filesystem of any of the hosts being
> monitored by Expos? and with SSH authentication configured, an alert
> will be created.
> Note this is only useful for default installations of the trojan.
> Additional Links:
> http://www.securityfocus.com/archive/75
> http://www.eweek.com/article2/0,3959,1130759,00.asp
> http://gcn.com/vol1_no1/daily-updates/22371-1.html
> http://www.lancope.com/news/Virus_Alert_Trojan.htm
> About Intrusec:
> The best way to prevent intrusions is to find and eliminate
> vulnerabilities
> before they can be exploited. Intrusec has been built on the belief
> that
> continuous network change detection is a core technology that will
> assist
> administrators in managing the security of their networks and should be
> a
> part of any comprehensive security framework. Utilizing Intrusec's
> product,
> along with those from other commercial and free sources, can assist in
> limiting the breadth and time your network may be exposed to the type of
> vulnerabilities being exploited to install malicious software such as
> the
> 55808 Trojan.
> Intrusec, Inc. was founded in January 2002 to build a new kind of
> security
> software that provides continuous detection of changes occurring on a
> network. Intrusec's first product, Expos?, brings this technology vision
> to fruition.
> Using Intrusec's unique Differential Detection Technology, Expos? can
> detect
> changes on a network at all of the IP, application, and web services
> layers
> of today's modern networks and works with existing vulnerability
> assessment
> products to help administrators identify specific vulnerabilities.
> Expos? is
> currently in beta testing and is available for download now.
> This document is not to be edited or altered in any way without the
> express written consent of Intrusec, Inc.. You may provide links to
> this document
> from your web site, and you may make copies of this document in
> accordance
> with the fair use doctrine of the U.S. copyright laws.
> Use of this information constitutes acceptance for use in an as is
> condition.
> There are no warranties, implied or otherwise, with regard to this
> information
> or its use. Any use of this information is at the user's risk. In no
> event
> shall Intrusec be held liable for any damages arising in connection with
> the
> use of this information.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
> iD8DBQE+8hwVZ+G9DfVcBDsRAr0lAJ9mXL0+B45WQNrbDuVeFYI7a94h4gCfdYUk
> zCh609i/6uRrJ70+GlInnuk=
> =NdlI
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
+++++++++++++++++++++++++++++
gpg: armor header: Hash: SHA1
gpg: original file name=''
gpg: armor header: Version: GnuPG v1.2.2 (MingW32)
gpg: Signature made 06/19/03 21:24:53 using DSA key ID F55C043B
gpg: requesting key F55C043B from x-hkp://sks.keyserver.penguin.de
gpg: armor header: Version: SKS 1.0.3
gpg: pub 1024D/F55C043B 2003-06-19 Intrusec, Inc. <security@...rusec.com>
gpg: key F55C043B: public key "Intrusec, Inc. <security@...rusec.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: BAD signature from "Intrusec, Inc. <security@...rusec.com>"
gpg: textmode signature, digest algorithm SHA1
+++++++++++++++++++++++++++++
Same here; bad signature
--
Best regards,
slpl <mailto:slpl@...info.pt>
Powered by blists - more mailing lists