Re: Intrusec 55808 Trojan Analysis

gwhy555_at_yahoo.com
Date: 06/22/03

Next message: Joe Blatz: "Scan from Philipine Center on Transnational Crime"

Previous message: John Smaction: "kuag2 again?"
Maybe in reply to: David J. Meltzer: "Intrusec 55808 Trojan Analysis"
Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"
Reply: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"
Reply: David J. Meltzer: "RE: Intrusec 55808 Trojan Analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 22 Jun 2003 06:30:26 -0000
To: incidents@securityfocus.com

('binary' encoding is not supported, stored as-is) In-Reply-To: <008d01c3371a$fd5417d0$be01a8c0@ian>

Say, could you explain a little further on the paragraph that reads:

"The trojan appears to contain some functionality to change the IP
address it delivers its packet captures to, but this functionality is
not operational in the trojan we have obtained. It appears the stubbed
out code, if activated, would function as follows: If a packet is
captured that contains a window size of 55808 and a TCP option window
scale of 2, the trojan modifies the IP address packet captures are
delivered to based on the sequence number of that packet."

Specifically what effect would this have if it were to be made
operational. I'm not really a tcp pro but I am interested in what this
thing might look like in the near future.

much appreciated.

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Joe Blatz: "Scan from Philipine Center on Transnational Crime"

Previous message: John Smaction: "kuag2 again?"
Maybe in reply to: David J. Meltzer: "Intrusec 55808 Trojan Analysis"
Next in thread: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"
Reply: Valdis.Kletnieks_at_vt.edu: "Re: Intrusec 55808 Trojan Analysis"
Reply: David J. Meltzer: "RE: Intrusec 55808 Trojan Analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Intrusec 55808 Trojan Analysis
... understand the basic concept of this distributed trojan seems to ... could deliver a spoofed packet anywhere on the ... to deliver its packet captures to a different server on the internet. ... world's premier technical IT security event! ...
(Incidents)
Re: Intrusec 55808 Trojan Analysis
... > address it delivers its packet captures to, but this functionality is ... > not operational in the trojan we have obtained. ...
(Incidents)