Re: Intrusec 55808 Trojan Analysis

Valdis.Kletnieks_at_vt.edu
Date: 06/24/03

  • Next message: ATD: "Re: Scan from Philipine Center on Transnational Crime" 
    To: gwhy555@yahoo.com
Date: Mon, 23 Jun 2003 21:20:13 -0400

    On Sun, 22 Jun 2003 06:30:26 -0000, gwhy555@yahoo.com said:

    > "The trojan appears to contain some functionality to change the IP
    > address it delivers its packet captures to, but this functionality is
    > not operational in the trojan we have obtained. It appears the stubbed
    > out code, if activated, would function as follows: If a packet is
    > captured that contains a window size of 55808 and a TCP option window
    > scale of 2, the trojan modifies the IP address packet captures are
    > delivered to based on the sequence number of that packet."
    >
    > Specifically what effect would this have if it were to be made
    > operational. I'm not really a tcp pro but I am interested in what this
    > thing might look like in the near future.

    What this means is that it can (if activated) change the "ET Phone Home"
    address on the fly. Let's say it's current phone-home is 199.45.12.24.
    To change it to (say) 209.134.56.97, we just inject a packet for it
    to hear that has:

    window == 55808
    Window Scale == 2
    sequence == 3515234401 ( == 209 * 256**3 + 134 * 256**2 + 56*256 + 97).

    and poof, it calls the new address. So whoever owns it injects a few packets
    with those characteristics, destined to a few listeners. Those then
    start using those numbers and letting the backscatter carry the message
    to more listeners. After a short while, all the listeners are pointing to
    the new IP address.

    Or something like that - I've been in my office too many hours today. ;)

  • Next message: ATD: "Re: Scan from Philipine Center on Transnational Crime"

    Relevant Pages

    • RE: Intrusec 55808 Trojan Analysis
      ... understand the basic concept of this distributed trojan seems to ... could deliver a spoofed packet anywhere on the ... to deliver its packet captures to a different server on the internet. ... world's premier technical IT security event! ...
      (Incidents)
    • Re: Network Performance Issues.
      ... why forwarding packets causes the problem, but the wan interface shows ... 1% packet loss should not make a noticeable difference to download speed. ... Suggest you make packet captures on ALL interfaces and of ...
      (Debian-User)
    • Re: Unknown UDP packets - should I worry?
      ... >> How 'bout a few packet captures for us? ... > If I do get any tcpdump results, ... really want to start logging every packet if I can help it (I'm currently dropping these packets silently, ...
      (comp.os.linux.security)
    • Re: Intrusec 55808 Trojan Analysis
      ... "The trojan appears to contain some functionality to change the IP ... address it delivers its packet captures to, ... world's premier technical IT security event! ...
      (Incidents)
    • Re: Covert Channels
      ... Here is part of a paper I recently wrote talking about "rawIP" Trojans. ... "Q" trojan should be exactly what you are looking for in regards to a covert ... qs -C "command" server.com - Execute remote shell commands. ... sending control packet to 10.0.0.2 ...
      (Pen-Test)