[ISN] Trojan Picks Up Steam, Baffles Experts

From: InfoSec News (isnat_private)
Date: Thu Jun 19 2003 - 03:05:13 PDT

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary"

    http://www.eweek.com/article2/0,3959,1130754,00.asp
    
    By Dennis Fisher
    June 18, 2003 
    
    A new Trojan that has been making its way around the Internet in 
    recent weeks continues to baffle security experts, who have been 
    unable to get a good handle on its behavior. 
    
    The Trojan apparently made its first appearance around May 16 and 
    began randomly scanning Internet-connected machines. The scanning was 
    slow at first but has begun to pick up speed in recent days as more 
    machines have become infected. Researchers at Internet Security 
    Systems Inc. in Atlanta have been seeing nearly 3,000 scans an hour on 
    Tuesday across the entire address space that the company monitors. 
    
    The Trojan scans random ports on random machines, each time sending an 
    initial SYN packet. One of the few identifiable characteristics of the 
    program is a window size of 55808 on each of the packets it transmits. 
    It also spoofs the originating IP address on all of the packets, 
    making them look as if they're coming from machines in unallocated 
    name space. 
    
    ISS has been tracking the Trojan for about a month and has yet to find 
    a copy of its code or successfully trace it back to an infected 
    machine. Other security vendors and officials at the Department of 
    Homeland Security are also tracking the Trojan, all without any luck 
    so far. 
    
    "We still don't have a good idea where it's going or if it's 
    communicating with anyone," said Pete Allor, manager of X-Force Threat 
    Intelligence Services at ISS. "I don't want to say I'm close, but I'm 
    closer than I was yesterday." 
    
    Researchers have been frustrated by the Trojan's random behavior, 
    which has helped it elude capture. One of the few nuggets of 
    information that experts have at this point is that a portion of the 
    hex code in the packets the Trojan sends contains the term "day 0." In 
    security circles, the phrase "zero day" is often used to describe 
    attacks on vulnerabilities that have just been discovered. 
    
    Despite the problems tracking the Trojan so far, Allor believes it's 
    only a matter of time before someone gets a handle on it. When he does 
    find it, Allor is eager to peek into the Trojan's code and see what 
    makes it tick. 
    
    "This is a new one. It piqued our curiosity really quick," he said. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jun 19 2003 - 05:28:43 PDT