Possible new trojan?

From: Mike Blomgren (mike.blomgrenat_private)
Date: Thu Sep 13 2001 - 02:45:26 PDT

Next message: H C: "Re: Possible new trojan?"

Previous message: H C: "Re: Any one seen any evidence of "Code Blue?""
Next in thread: H C: "Re: Possible new trojan?"
Reply: H C: "Re: Possible new trojan?"
Reply: Mike Blomgren: "Re: Possible new trojan?"
Reply: Ryan Hill: "RE: Possible new trojan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

During a client security investigation, we encountered suspicious 
traffic from a client-machine, to which we can not identify the source, 
if this is a Trojan, or some sort of worm.

The client machine had for three days been sending excessive requests 
to port 80, to two different IP-addresses. Both targets are 'high-
profile', well known international companies. Each target has received 
over 100 000 connection attempts per day (24 hours).

We can't see if the requests were valid HTTP requests, or if the client 
just connected to port 80, and then dropped the connection - in some 
sort of DoS attempt to consume resources on the target. The firewall 
which logged the connections just lists successful attempts to connect 
to port 80 - but doesn't show packet content. Cisco PIX....

An interesting thing is that the source port in each request, would 
start at 1025, increase by one to 5000, and then start over with source 
port 1025.

The client machine does have an irc client installed, and this is 
somewhat alarming. However, the Trend Micro anti-virus software does 
not detect the virus, with the leates available patternfile (per 2001-
09-10).

Any possible clues or leads are appreciated.

Regards,

~Mike




PGP Fingerprint: 4B7F 8DCA 0C44 019E 1A2D  C0E6 775B 12B1 DB47 5C12

___________________________________
The information included in this e-mail is intended only for the
person or entity to which it is addressed. Any use of this
information by persons or entities other than the intended
recipient is prohibited. If you receive this transmission in
error, please delete this email and destroy any copies of it.

Any opinions expressed in this email are those of the individual
and not necessarily those of the company CCNOX.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Re: Possible new trojan?"
Previous message: H C: "Re: Any one seen any evidence of "Code Blue?""
Next in thread: H C: "Re: Possible new trojan?"
Reply: H C: "Re: Possible new trojan?"
Reply: Mike Blomgren: "Re: Possible new trojan?"
Reply: Ryan Hill: "RE: Possible new trojan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 08:50:23 PDT