RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)

From: Andy Streule (andy.streule_at_lythamhigh.lancs.sch.uk)
Date: 06/20/03

  • Next message: David J. Meltzer: "Intrusec 55808 Trojan Analysis"
    Date: Fri, 20 Jun 2003 11:39:39 +0100
    To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
    
    

    according to

    http://www.eweek.com/article2/0,3959,1132268,00.asp

    the packets are being generated by a distributed network mapping tool called
    Stumbler.

    "Researchers at Internet Security Systems Inc. say the culprit, which was
    first thought to be a new breed of Trojan, is actually a distributed network
    mapping tool that also acts as a listening agent. Dubbed Stumbler, the agent
    is not considered malicious right now because it contains no payload, but it
    has the potential to generate enough IP traffic to hamper network
    performance. "

    "Stumbler scans random ports on random machines, each time sending an
    initial SYN packet. One of the few identifiable characteristics of the
    program is a window size of 55808 on each of the packets it transmits. It
    also spoofs the originating IP address on all of the packets, making them
    look as if they're coming from machines in unallocated name space. The
    window size led some to speculate that the malware was related to the Randex
    IRC bot, but experts now say the TCP window size is coincidental. "

    ~browolf
    www.security-forums.com

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: David J. Meltzer: "Intrusec 55808 Trojan Analysis"

    Relevant Pages

    • Re: Political Analysis of Security Products
      ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ...
      (Pen-Test)
    • Re: Network hardware IPS
      ... Setting up a complete security with all the currently available tools ... snort_inline uses libipq to queue the packets to user space. ... >Captus Networks IPS 4000 ...
      (Focus-IDS)
    • RE: IDSIPS that can handle one Gig
      ... make "any sense in real world security policy". ... devices through use of fragments. ... traffic, an attack can spread itself across multiple packets, which all ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: Minimize key size for sending only 10 messages
      ... I must not be understanding what you mean by "Computational security" ... and algorithm". ... groups of 10 packets, but each group will use a different session key? ... replay attacks, and against provocations of known-plaintext attacks? ...
      (comp.security.misc)
    • [UNIX] IPv4 Forwarding Doesnt Consult Inbound SPD in KAME-derived IPSec
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... of NetBSD and FreeBSD fail to perform inbound policy checks on packets ... inbound packets violated process security policy ... outbound packets violated process security policy ...
      (Securiteam)