lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200306201008.22699.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: ISS "Stumbler" advisory questions

>From the X-Force "Stumbler" advisory:
> X-Force has been tracking reports of suspicious and widespread Internet
> traffic with a TCP Window size of 55808. A substantial amount of traffic
> captured from sites around the world point to a new distributed port
> scanning system.
... snip ...
> Each agent attempts to map IP addresses and open ports corresponding to 
> each IP address by sending a TCP SYN packet with a random destination port.

This doesn't appear to be the same pattern of activity seen since May. Many
people have reported activity from a single spoofed IP to a single destination 
IP from a random but non-varying source port to a random but non-varying 
destination port - for weeks at a time. I've seen this on several networks we
montor. I see no way this could even pretend to be an effective distributed
scan.

Intrusec seems to feel that the trojan they found is a copycat; someone
created a trojan to try and match the described behavior/traffic with winsize 
55808. Probably someone's idea of a joke on the infosec community. The files
ISS describe match the files Intrusec described, so why does ISS/X-Force feel 
that Stumbler is the true source of the traffic?

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ