On Sun, 22 Jun 2003 06:30:26 -0000, gwhy555at_private said: > "The trojan appears to contain some functionality to change the IP > address it delivers its packet captures to, but this functionality is > not operational in the trojan we have obtained. It appears the stubbed > out code, if activated, would function as follows: If a packet is > captured that contains a window size of 55808 and a TCP option window > scale of 2, the trojan modifies the IP address packet captures are > delivered to based on the sequence number of that packet." > > Specifically what effect would this have if it were to be made > operational. I'm not really a tcp pro but I am interested in what this > thing might look like in the near future. What this means is that it can (if activated) change the "ET Phone Home" address on the fly. Let's say it's current phone-home is 199.45.12.24. To change it to (say) 209.134.56.97, we just inject a packet for it to hear that has: window == 55808 Window Scale == 2 sequence == 3515234401 ( == 209 * 256**3 + 134 * 256**2 + 56*256 + 97). and poof, it calls the new address. So whoever owns it injects a few packets with those characteristics, destined to a few listeners. Those then start using those numbers and letting the backscatter carry the message to more listeners. After a short while, all the listeners are pointing to the new IP address. Or something like that - I've been in my office too many hours today. ;)
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 20:32:55 PDT