RE: Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log f ile...)

From: Andy Streule (andy.streule_at_lythamhigh.lancs.sch.uk)
Date: 06/20/03

  • Next message: David J. Meltzer: "Intrusec 55808 Trojan Analysis"
    Date: Fri, 20 Jun 2003 11:39:39 +0100
    To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
    
    

    according to

    http://www.eweek.com/article2/0,3959,1132268,00.asp

    the packets are being generated by a distributed network mapping tool called
    Stumbler.

    "Researchers at Internet Security Systems Inc. say the culprit, which was
    first thought to be a new breed of Trojan, is actually a distributed network
    mapping tool that also acts as a listening agent. Dubbed Stumbler, the agent
    is not considered malicious right now because it contains no payload, but it
    has the potential to generate enough IP traffic to hamper network
    performance. "

    "Stumbler scans random ports on random machines, each time sending an
    initial SYN packet. One of the few identifiable characteristics of the
    program is a window size of 55808 on each of the packets it transmits. It
    also spoofs the originating IP address on all of the packets, making them
    look as if they're coming from machines in unallocated name space. The
    window size led some to speculate that the malware was related to the Randex
    IRC bot, but experts now say the TCP window size is coincidental. "

    ~browolf
    www.security-forums.com

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: David J. Meltzer: "Intrusec 55808 Trojan Analysis"