Re: Intrusec 55808 Trojan Analysis

["Philippe Bourgeois" <Philippe.Bourgeois () cert-ist com>]

There is a couple of things that look strange to me with that new trojan

#1: how does the 55808 agent collect SYN/ACK replies ?

> However, since the trojan also sniffs the network it is on in
> promiscuous mode, it is likely, over time, to pick up scans from other
> installations of trojans that randomly selected a source address that
> happened to be on its subnet.

After a quick look in "TCP Illustrated", it appears that :
If I send a TCP-SYN with a window size set to 55808, the SYN+ACK reply will
not have the window size set to 55808 (the window size will be choosen by
the server to match its internal buffers size).

It means that the 55808 trojan has to collect all the SYN+ACK packets it
sees, and has no way to know if that packet is a reply to a 55808 SYN probe
...
How can that work ?

#2: how to propage a "command" to all the agents

> The trojan appears to contain some functionality to change the IP
> address it delivers its packet captures to, but this functionality is
> not operational in the trojan we have obtained.  It appears the stubbed
> out code, if activated, would function as follows:  If a packet is
> captured that contains a window size of 55808 and a TCP option window
> scale of 2, the trojan modifies the IP address packet captures are
> delivered to based on the sequence number of that packet.

To spread the "change the IP address" command you have to send packet
"all-around" the internet.
How does that work ? Does each agent forward the command to a "random" IP
destination ? How to avoid 55808 storms (case where an agent captures the
packet it just put on the wire to forward a command) ...

Philippe Bourgeois
Cert-IST - www.cert-ist.com

> -----Message d'origine-----
> De : incidents-return-5898-buginc=cert-ist.com () securityfocus com
> [mailto:incidents-return-5898-buginc=cert-ist.com () securityfocus com]De
> la part de David J. Meltzer
> Envoyé : vendredi 20 juin 2003 12:59
> À : bugtraq () securityfocus com; incidents () securityfocus com
> Objet : Intrusec 55808 Trojan Analysis
>
>
> Intrusec Alert: 55808 Trojan Analysis
>
> Initial Release: 6/19/03 4:30PM EDT
> Latest Update: 6/19/03 11:13PM EDT
>
> - Corrected analysis regarding use of sequence numbers to change IP
> address.
> - Added reference to alternate name "Stumbler" given to trojan by
> Internet Security Systems subsequent to the release of Intrusec's
> analysis.
>
>
> Introduction:
>
> Intrusec has completed an initial analysis of a trojan that appears to
> be one of several that is responsible for generating substantial
> scanning traffic across the Internet with a TCP window size of 55808.
> The trojan we have isolated appears to match many of the characteristics
> that others in the security community have reported for this trojan.
> However, we do not believe that the specific trojan we have identified
> is the sole source of the traffic generated, and do not know that it is
> a primary source.
[...]


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------