First, understand the basic concept of this distributed trojan seems to be to collect a bunch of data (in this instance packet captures) and then periodically upload the captures to a known IP address. The basic idea of this "change of address" command that is not fully implemented is that a hacker, knowing the location of the trojans running on the Internet, could deliver a spoofed packet anywhere on the subnet the trojan is listening, and by doing so could change the trojan to deliver its packet captures to a different server on the internet. Since the delivered packet looks mostly like all the other spoofed 55808 packets flying across the internet, the "change address" command is unlikely to attract much attention. Since it can be delivered anywhere on the subnet the trojan is listening promiscuously on, it is difficult to figure out where the trojan is actually located even upon capturing this command. On further review, this implementation is fairly ridiculous. Why go through all the trouble of all this promiscuous mode sniffing and scanning to completely avoid the ability of anyone to detect the existence of the trojan, and then try to make a plain TCP connection, revealing the existence and location of all the trojans to anyone looking for that traffic? An early unfinished version? Poor code? Amateur work? A joke? A proof of concept? Who knows... One could imagine future trojans that used these concepts in more viable and useful manners, but I will leave it to others to speculate on how to write a better trojan as I'm more interested in how to stop them. Hope that answers your question. -Dave ------------------- David J. Meltzer djmat_private CTO, Intrusec, Inc. -----Original Message----- From: gwhy555at_private [mailto:gwhy555at_private] Sent: Sunday, June 22, 2003 2:30 AM To: incidentsat_private Subject: Re: Intrusec 55808 Trojan Analysis In-Reply-To: <008d01c3371a$fd5417d0$be01a8c0@ian> Say, could you explain a little further on the paragraph that reads: "The trojan appears to contain some functionality to change the IP address it delivers its packet captures to, but this functionality is not operational in the trojan we have obtained. It appears the stubbed out code, if activated, would function as follows: If a packet is captured that contains a window size of 55808 and a TCP option window scale of 2, the trojan modifies the IP address packet captures are delivered to based on the sequence number of that packet." Specifically what effect would this have if it were to be made operational. I'm not really a tcp pro but I am interested in what this thing might look like in the near future. much appreciated. ------------------------------------------------------------------------ ---- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 20:40:15 PDT