Intrusec 55808 Trojan Analysis

From: David J. Meltzer (djmat_private)
Date: Thu Jun 19 2003 - 13:25:57 PDT

  • Next message: David J. Meltzer: "Intrusec 55808 Trojan Analysis" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Intrusec Alert: 55808 Trojan Analysis

June 19, 2003

Introduction:

Intrusec has completed an initial analysis of a trojan that appears to
be one of
several that is responsible for generating substantial scanning traffic
across 
the Internet with a TCP window size of 55808. The trojan we have
isolated 
appears to match many of the characteristics that others in the security

community have reported for this trojan.  However, we do not believe
that the 
specific trojan we have identified is the sole source of the traffic
generated, 
and do not know that it is a primary source. 

The information we've been able to gather leads us to believe that the
trojan we 
have captured is not the original source of the 55808 traffic that has
been 
seen, but is rather a "copycat", created to mimic the behavior of
another trojan 
or worm.  The behavior of this copycat appears to be based on press
releases, 
news articles, and mailing lists that described its hypothetical
behavior and 
known output. Nonetheless, this copycat trojan appears to be actively
deployed 
on systems across the Internet and is something security professionals
should be 
aware of.

Details contained in this analysis will be updated, and linked to linked
to 
numerous analyses that will be done by other security researchers, as
they 
become available. Please visit and link to
http://www.intrusec.com/55808.html 
to receive the latest information available regarding this trojan.

There is apt to be great discussion about the nature of this "trojan"
and 
whether in fact it is accurately characterized as a trojan, backdoor,
zombie, 
or worm. While the specific binaries we have captured are probably
described 
as a trojan or zombie, there is no assurance that other variants of this
trojan 
may not be far more malicious in nature and contain worm or backdoor 
functionality. We are referring to the trojan we have captured, and the 
presumed other existing trojans generating similar traffic as "55808
Trojans," 
and the specific binary we have analyzed as "55808 Trojan - Variant A."
All 
discussion in our analysis section refers specifically to the 'A'
variant we 
have captured.
 

Analysis:

This trojan aims to be a distributed port scanner whose presence is very

difficult to detect.  It port scans random addresses across the IP
address 
space, with a random source address also spoofed.  By spoofing the
source 
address, the trojan is able to avoid easy detection, but it also means
it 
can not receive the results of the TCP SYN that is sent.  However, since
the 
trojan also sniffs the network it is on in promiscuous mode, it is
likely, 
over time, to pick up scans from other installations of trojans that
randomly 
selected a source address that happened to be on its subnet.  As the
number of 
trojans installed across the Internet grows, more spoofed packets will
be sent 
out by each trojan, and more of the spoofed source addresses will be
captured 
by other trojans.  

Each time a reply to a trojan is seen, indicating an open port has been
found, 
it is written to a file and saved.  Daily, the trojan will then deliver
the 
list of open ports it recorded while sniffing to a file and deliver that
file 
to a predefined IP address.

In addition, a specially crafted packet can be sent to the subnet the
trojan 
is listening on which contains in its sequence number the IP address the

trojan should deliver the open port list to daily.

Finally, the trojan contains a feature whereby if it fails to connect to
the 
IP address it is supposed to deliver its open ports list to, it will 
automatically attempt to remove itself from the system.

The trojan we have identified has been a file named 'a' that resides in 
/tmp/.../a on the filesystem.  Its packet collection activity monitors
for 
any packet with a window size of 55808 and records all packets matching
that 
window size.  The packet capture is written to its current directory 
(/tmp/.../ typically) in a file named 'r'. 

There is a default IP address of 12.108.65.76 that the trojan attempts
to 
make a standard connection (not spoofed) to on TCP port 22 and deliver
the 
packet capture after it has been running for 24 hours, however this
appears 
to have been randomly selected as it is not an active system on the
Internet, 
and it is dynamically modifiable by a packet that can be sent to the
trojan.

If a packet is captured that contains a window size of 55808 and a TCP
option 
window scale of 2, the trojan will take the sequence number of the
packet that 
was received and change the IP address that it delivers the packet
captures to 
on a daily basis to the sequence number of that address.

Network administrators can over the course of a day identify the
location of 
this trojan on their network by delivering a packet of the form
described 
above pointing towards their own port 22 server.  So long as no further
packets 
redirecting the trojan again are discovered (if they are, another packet
could 
be delivered to overwrite it, or more optimally these specially crafted
packets 
should be filtered by a firewall), within 24 hours the trojan should
attempt to
connect to your server.

While a novel concept, this trojan seems largely to have been written as
a 
proof of concept relative to the ideas Lancope described as a '3rd
generation 
trojan.'  Other than generating large amounts of network traffic, it
contains 
no self-replicating or malicious behavior, and a few high-speed port
scans 
from compromised host would be a far more effective and efficient means
to map 
open ports on the Internet than this type of trojan.

We have only observed the trojan on Linux systems to date.  However, the

program itself is quite portable to other unix variants, so it is
possible if 
not likely that it may also exist on other unix distributions.  It is
also 
possible that the 'original' trojan is Windows-based.

The trojan appears to be installed on a system either manually, or
through an 
external exploit that is unrelated to the trojan itself.  There is no
exploit 
code or means to install itself on a host built-in to the trojan itself.


It is easy to identify that a system on your network has been infected
with 
this or a related trojan due to its extremely noisy network activity it 
generates with TCP packets with a window size of 55808.  However, other 
legitimate services may intentionally or incidentally also send packets
with 
this same window size, so do not solely rely upon the presence of such a

packet as guaranteeing the existence of such a trojan.  

Security vendors who claim that identifying massive quantities of port 
scanning originating from their network as a unique feature of their 
software should be taken with a grain of salt.  It is more difficult to 
identify the specific system on your network that has been infected with
this 
trojan due to its spoofing activities other than for its daily
non-spoofed 
connection to remote port 22.  Tools that can assist you in locating the

actual physical source of these spoofed packets (through looking at MAC 
addresses and ARPs) may be quite useful.  There is apt to be a great
deal of 
discussion in the general techniques that can be used to locate it, a
good 
starting resource for this is "Tracking Down the Phantom Host" by John
Payton 
available at http://www.securityfocus.com/infocus/1705. 
 

For Exposé Users:

Users of Exposé that take advantage of its SSH authenticated
differential 
signatures can detect new default installations of this trojan on their 
systems by creating a custom SSH differential signature that looks for
the
appearance of a /tmp/.../ directory on systems being monitored.  See the

Exposé help for more information on using SSH authentication.

- From the main user interface, select 'Configure App Layer
Differentials' 
from the Tools menu, click 'Add' under the checks box, and then enter a
new 
check with the following settings:

          Name: 55808 Trojan
      Priority: High
          Type: SSH, Simple
Challenge Text: echo check;ls /tmp/.../
    Port Range: 22

If that file appears on the filesystem of any of the hosts being
monitored by
Exposé and with SSH authentication configured, an alert will be created.

Note this is only useful for default installations of the trojan.


Additional Links:

http://www.securityfocus.com/archive/75
http://www.eweek.com/article2/0,3959,1130759,00.asp
http://gcn.com/vol1_no1/daily-updates/22371-1.html
http://www.lancope.com/news/Virus_Alert_Trojan.htm
 

About Intrusec:

The best way to prevent intrusions is to find and eliminate
vulnerabilities 
before they can be exploited.  Intrusec has been built on the belief
that 
continuous network change detection is a core technology that will
assist 
administrators in managing the security of their networks and should be
a 
part of any comprehensive security framework.  Utilizing Intrusec's
product, 
along with those from other commercial and free sources, can assist in 
limiting the breadth and time your network may be exposed to the type of

vulnerabilities being exploited to install malicious software such as
the 
55808 Trojan.

Intrusec, Inc. was founded in January 2002 to build a new kind of
security 
software that provides continuous detection of changes occurring on a
network.
Intrusec's first product, Exposé, brings this technology vision to
fruition. 
Using Intrusec's unique Differential Detection Technology, Exposé can
detect 
changes on a network at all of the IP, application, and web services
layers 
of today's modern networks and works with existing vulnerability
assessment 
products to help administrators identify specific vulnerabilities.
Exposé is 
currently in beta testing and is available for download now.

This document is not to be edited or altered in any way without the
express
written consent of Intrusec, Inc..  You may provide links to this
document 
from your web site, and you may make copies of this document in
accordance 
with the fair use doctrine of the U.S. copyright laws. 

Use of this information constitutes acceptance for use in an as is
condition. 
There are no warranties, implied or otherwise, with regard to this
information 
or its use. Any use of this information is at the user's risk. In no
event 
shall Intrusec be held liable for any damages arising in connection with
the 
use of this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)

iD8DBQE+8hwVZ+G9DfVcBDsRAr0lAJ9mXL0+B45WQNrbDuVeFYI7a94h4gCfdYUk
zCh609i/6uRrJ70+GlInnuk=
=NdlI
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

    This archive was generated by hypermail 2b30 : Sat Jun 21 2003 - 11:50:02 PDT