RE: Intrusec 55808 Trojan Analysis

["David J. Meltzer" <djm () intrusec com>]

First, understand the basic concept of this distributed trojan seems to
be to collect a bunch of data (in this instance packet captures) and
then periodically upload the captures to a known IP address.

The basic idea of this "change of address" command that is not fully
implemented is that a hacker, knowing the location of the trojans
running on the Internet, could deliver a spoofed packet anywhere on the
subnet the trojan is listening, and by doing so could change the trojan
to deliver its packet captures to a different server on the internet.

Since the delivered packet looks mostly like all the other spoofed 55808
packets flying across the internet, the "change address" command is
unlikely to attract much attention.  Since it can be delivered anywhere
on the subnet the trojan is listening promiscuously on, it is difficult
to figure out where the trojan is actually located even upon capturing
this command.  

On further review, this implementation is fairly ridiculous.  Why go
through all the trouble of all this promiscuous mode sniffing and
scanning to completely avoid the ability of anyone to detect the
existence of the trojan, and then try to make a plain TCP connection,
revealing the existence and location of all the trojans to anyone
looking for that traffic?  An early unfinished version?  Poor code?
Amateur work?  A joke?  A proof of concept?  Who knows...

One could imagine future trojans that used these concepts in more viable
and useful manners, but I will leave it to others to speculate on how to
write a better trojan as I'm more interested in how to stop them.

Hope that answers your question.

-Dave

-------------------
David J. Meltzer
djm () intrusec com   
CTO, Intrusec, Inc.

-----Original Message-----
From: gwhy555 () yahoo com [mailto:gwhy555 () yahoo com] 
Sent: Sunday, June 22, 2003 2:30 AM
To: incidents () securityfocus com
Subject: Re: Intrusec 55808 Trojan Analysis


In-Reply-To: <008d01c3371a$fd5417d0$be01a8c0@ian>


Say, could you explain a little further on the paragraph that reads:

"The trojan appears to contain some functionality to change the IP
address it delivers its packet captures to, but this functionality is
not operational in the trojan we have obtained.  It appears the stubbed
out code, if activated, would function as follows:  If a packet is
captured that contains a window size of 55808 and a TCP option window
scale of 2, the trojan modifies the IP address packet captures are
delivered to based on the sequence number of that packet."

Specifically what effect would this have if it were to be made 
operational. I'm not really a tcp pro but I am interested in what this 
thing might look like in the near future. 

much appreciated.

------------------------------------------------------------------------
----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
----


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------