RE: Intrusec 55808 Trojan Analysis

From: David J. Meltzer (djm_at_intrusec.com)
Date: 06/24/03

  • Next message: Jiang Peng: "strange logs -- tcp port 16166" 
    To: <gwhy555@yahoo.com>, <incidents@securityfocus.com>
Date: Tue, 24 Jun 2003 10:54:52 -0400

    First, understand the basic concept of this distributed trojan seems to
    be to collect a bunch of data (in this instance packet captures) and
    then periodically upload the captures to a known IP address.

    The basic idea of this "change of address" command that is not fully
    implemented is that a hacker, knowing the location of the trojans
    running on the Internet, could deliver a spoofed packet anywhere on the
    subnet the trojan is listening, and by doing so could change the trojan
    to deliver its packet captures to a different server on the internet.

    Since the delivered packet looks mostly like all the other spoofed 55808
    packets flying across the internet, the "change address" command is
    unlikely to attract much attention. Since it can be delivered anywhere
    on the subnet the trojan is listening promiscuously on, it is difficult
    to figure out where the trojan is actually located even upon capturing
    this command.

    On further review, this implementation is fairly ridiculous. Why go
    through all the trouble of all this promiscuous mode sniffing and
    scanning to completely avoid the ability of anyone to detect the
    existence of the trojan, and then try to make a plain TCP connection,
    revealing the existence and location of all the trojans to anyone
    looking for that traffic? An early unfinished version? Poor code?
    Amateur work? A joke? A proof of concept? Who knows...

    One could imagine future trojans that used these concepts in more viable
    and useful manners, but I will leave it to others to speculate on how to
    write a better trojan as I'm more interested in how to stop them.

    Hope that answers your question.

    -Dave

    -------------------
    David J. Meltzer
    djm@intrusec.com
    CTO, Intrusec, Inc.

    -----Original Message-----
    From: gwhy555@yahoo.com [mailto:gwhy555@yahoo.com]
    Sent: Sunday, June 22, 2003 2:30 AM
    To: incidents@securityfocus.com
    Subject: Re: Intrusec 55808 Trojan Analysis

    In-Reply-To: <008d01c3371a$fd5417d0$be01a8c0@ian>

    Say, could you explain a little further on the paragraph that reads:

    "The trojan appears to contain some functionality to change the IP
    address it delivers its packet captures to, but this functionality is
    not operational in the trojan we have obtained. It appears the stubbed
    out code, if activated, would function as follows: If a packet is
    captured that contains a window size of 55808 and a TCP option window
    scale of 2, the trojan modifies the IP address packet captures are
    delivered to based on the sequence number of that packet."

    Specifically what effect would this have if it were to be made
    operational. I'm not really a tcp pro but I am interested in what this
    thing might look like in the near future.

    much appreciated.

    ------------------------------------------------------------------------ 

    ----
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
----
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
  • Next message: Jiang Peng: "strange logs -- tcp port 16166"

    Relevant Pages

    • Re: Covert Channels
      ... Here is part of a paper I recently wrote talking about "rawIP" Trojans. ... "Q" trojan should be exactly what you are looking for in regards to a covert ... qs -C "command" server.com - Execute remote shell commands. ... sending control packet to 10.0.0.2 ...
      (Pen-Test)
    • Re: Intrusec 55808 Trojan Analysis
      ... "The trojan appears to contain some functionality to change the IP ... address it delivers its packet captures to, ... world's premier technical IT security event! ...
      (Incidents)
    • Re: [Full-Disclosure] Intrusec 55808 Trojan Analysis
      ... > the Internet with a TCP window size of 55808. ... The trojan we have ... > trojan also sniffs the network it is on in promiscuous mode, ... The packet capture is written to its current directory ...
      (Full-Disclosure)
    • [NEWS] 55808 Trojan Analysis
      ... Beyond Security in Canada ... Intrusec has completed an initial analysis of a Trojan that appears to be ... to be based on press releases, news articles, and mailing lists that ... a specially crafted packet can be sent to the subnet the ...
      (Securiteam)
    • Intrusec 55808 Trojan Analysis
      ... Intrusec Alert: 55808 Trojan Analysis ... a specially crafted packet can be sent to the subnet the ... Network administrators can over the course of a day identify the ...
      (Incidents)