[ISN] New Breed of Trojan Raises Security Concerns

From: InfoSec News (isnat_private)
Date: Mon Jun 16 2003 - 02:13:14 PDT

Next message: InfoSec News: "[ISN] DOD moving to IPv6"

Previous message: InfoSec News: "RE: [ISN] This computer security column is banned in Canada"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.eweek.com/article2/0,3959,1126743,00.asp

By Dennis Fisher
June 13, 2003 

Security researchers believe they have identified a new breed of
Trojan horse that is infecting machines on the Internet, possibly in
preparation for a larger coordinated attack.

However, experts have been unable to pin down many of the details of
the program's behavior and are unsure how many machines might be
compromised by the Trojan.

The program scans random IP addresses and sends a probe in the form of
a TCP SYN request with a window size that is always 55808. Infected
hosts listen promiscuously for packets with certain identifying
characteristics, including that specific window size. Experts believe
that other fields within the packet's header probably give the
infected host information on the IP address of the controlling host
and what port to contact the host on.

The Trojan is also capable of spoofing the source IP addresses for the
packets it sends, making it much more difficult for researchers to
track infected hosts. The program appears to scan IP addresses at a
rate that enables it to scan about 90 percent of the IP addresses on
the Internet in 24 hours, according to officials at Lancope Inc., an
Atlanta-based security vendor. The company has seen the new Trojan on
its own honeynet and has also observed it on the network at a
university.

The company said it was alerted to the existence of the Trojan by an
employee at a defense contractor and later notified both the FBI and
the CERT Coordination Center. A spokesman for the FBI confirmed that
the bureau was aware of the issue, but said there was little it could
do unless there's an incident.

"Until something happens, the FBI is on the sidelines on this one,"  
said Bill Murray, spokesman for the FBI in Washington. "There's not
really anything to investigate."

Unlike typical Trojans, the new program does not have a controller
e-mail address written into the source code.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] DOD moving to IPv6"
Previous message: InfoSec News: "RE: [ISN] This computer security column is banned in Canada"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 16 2003 - 04:17:17 PDT