June 16th, 2003 04:30 PM
New Breed of Trojan
There is article in eWeek (read article) discussing information about a new Trojan quietely infiltrating machines across the Internet possibly as sleepers for some massive impending attack.
Read the article for more information. You may want to set up an IDS rule or something to scan for packets of that size or be extra cautious about unauthorized ports being opened for no apparent reason.
Security researchers believe they have identified a new breed of Trojan horse that is infecting machines on the Internet, possibly in preparation for a larger coordinated attack.
However, experts have been unable to pin down many of the details of the program's behavior and are unsure how many machines might be compromised by the Trojan.
The program scans random IP addresses and sends a probe in the form of a TCP SYN request with a window size that is always 55808. Infected hosts listen promiscuously for packets with certain identifying characteristics, including that specific window size.
Experts believe that other fields within the packet's header probably give the infected host information on the IP address of the controlling host and what port to contact the host on.