Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: New Breed of Trojan

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830

    Exclamation New Breed of Trojan

    There is article in eWeek (read article) discussing information about a new Trojan quietely infiltrating machines across the Internet possibly as sleepers for some massive impending attack.

    Security researchers believe they have identified a new breed of Trojan horse that is infecting machines on the Internet, possibly in preparation for a larger coordinated attack.
    However, experts have been unable to pin down many of the details of the program's behavior and are unsure how many machines might be compromised by the Trojan.

    The program scans random IP addresses and sends a probe in the form of a TCP SYN request with a window size that is always 55808. Infected hosts listen promiscuously for packets with certain identifying characteristics, including that specific window size.

    Experts believe that other fields within the packet's header probably give the infected host information on the IP address of the controlling host and what port to contact the host on.
    Read the article for more information. You may want to set up an IDS rule or something to scan for packets of that size or be extra cautious about unauthorized ports being opened for no apparent reason.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tony: This has got to be aimed at the cable/dsl "market" rather than corporate networks. I say that because if the trojan is listening for a TCP syn scan then there are only a few possibilities, (public machines), on corporate networks but the cable etc. networks would be wide open for this kind of behaviour. Yeah, there will be corporate networks that are unfirewalled but those would have to be considered bonuses to the attackers, (and dunb admins running the networks).

    Now if you get a few thousand of these machines all scannind the entire internet in 24 hours that's going to be quite a DoS.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    Agreed- it is a target rich environment!!

    There are over 17 million broadband Internet subscribers (Leichtman Research Group ) in the United States alone right now- and growing. That number was at the end of 2002.

    If even 10% of those are not properly secured (and you and I both know its more like 95%) that would mean almost 2 million computers could get infected with something like this.

    I just wrote an article- False Sense of Security - talking about the potential for requiring some sort of test to be allowed to use the Internet.

    The national highway system has to be shared by all so there are rules and regulations that must be followed. There are certain safety precautions that are dictated and policed- speed limits, wearing seatbelts, having brakes on cars- so that everyone can use the highway together in peace without too much destruction. To use the highway you must pass a test and obtain a license from your state government.

    The information highway (Internet) is not that different. The same Internet that newbie AOL users connect to is the one used to provide critical infrastructure and operates systems like 911 emergency systems, airline ticketing systems, ATM banking systems, etc. Having a rogue user leave their system unsecure and propagate a threat that cripples the Internet that provides the backbone for business and critical infrastructure is no better or worse than someone going 100mph down the highway with no brakes.

  4. #4
    AO Veteran NeuTron's Avatar
    Join Date
    Apr 2003
    Posts
    550
    This is slightly alarming. I bet it is going to be a wake up call for those who overlook security for convenience. I am curious though as to how it it is installing the server aspect of the trojan. The SYN probe is affective but what is actually performing the install? The article failed to mention anything about it, probably because they don't know yet.

  5. #5
    Junior Member
    Join Date
    May 2003
    Posts
    8
    At least there is a little protection with newbie AOL users using dialup in the fact that they have to go through a proxy. But the newbies who by a computer and then cable or DSL are an accident waiting to happen. Hmmmm... Good idea for a business there, but do not know how many takers you would have. Contact ISPs and persuade them somehow to let you do a scan of there users. Keep the open ports confidential, but send the user a message that they have exploitable ports and to please put up a firewall and virus scanner!!! Hey just an idea....
    Chester

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tony: Great intentions.... <s> but the problem is that we have a speed cop watching the roads.... These people are doing it in the privacy of their own homes...... Can't dictate anything there..... It's just like a phone...... Do you think the ISP's would require you to take a test and then play speedcop? No way in hell. First it would intinidate so many new users that the new user pool would shrink to zero and then the cost of policing would have to be eaten by someone...... Guess who that would be???? Yippers..... You and me Baby!!!!! So now my already expensive cable will be $100/month. How many do you think will say "bugger that" and go back to AOL....(yuck yuck spit..... ). Ok you say..... Let the goverment play police like they do on the roads..... Taxes go up, (and no politician really wants to be held responsible for a new tax), which is exactly the same as putting my cable bill up and with the gubmint in charge you can guarantee that the internet would almost cease to exist as we know it.

    Neutron: It could be a simple worm targetting the systems that will, (most likely), still be available when it comes time to bring us to our digital knees.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002
    Posts
    830
    Agreed.

    I am not necessarily saying I support such action. I am merely pointing out the similarities to the highway system and the responsibility of those who use it to exercise certain basic precautions for the greater good.

    I am sure there was backlash and resistance when they implemented speed limits, seatbelt laws, 3rd brake lights, etc. Over time these things were done because it was in the best interest of the community sharing the roads.

    I am just playing devil's advocate and suggesting that due to the similarities it would not be that far-fetched to think of the government doing something like that. Of course, the highway system is national and the Internet is global so you have some jurisdiction issues too.

    Bottom line- the home market needs to be better educated about security and take their responsibility in that regard more seriously.

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tony: Yeah.... I see where you are coming from but "educate the users"..... I want a pint of whatever you're drinking man...... ...... You gotta have a friend somewhere that is really bright, knows their business inside out but reaches the limit of their computer knowledge about 3 seconds after the login screen has disappeared...... 'cos I do...... If I say hello to them on the phone their eyes glaze....<LOL>.... Mention a firewall and if they are in the auto business they wanna know how the fire protection for the engine compartment of their car is going to prevent viruses....... This stuff is just voodoo to them, sadly enough, and they really have no intention of ever delving deeper then knowing how to reply to Uncle Jeb's dirty joke emails......<s>

    I think, in reality, it's those people who put the internet together and those who now manage and run the ensuing infrastructure's systems that need to be the "frontline troops" when something like this goes down. And to be honest, if a big strike does come I have no problem with telling all ISP's to close their home user's networks down, (basically just block Internet access to all subscribers), until the offending machines are identified. That will solve 99% of all the problems in a few hours.... The rest will be easy for us "professionals".
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Originally posted here by tonybradley
    Agreed- it is a target rich environment!!

    The information highway (Internet) is not that different. The same Internet that newbie AOL users connect to is the one used to provide critical infrastructure and operates systems like 911 emergency systems, airline ticketing systems, ATM banking systems, etc. Having a rogue user leave their system unsecure and propagate a threat that cripples the Internet that provides the backbone for business and critical infrastructure is no better or worse than someone going 100mph down the highway with no brakes.
    This is not quit true. I have worked in telecommunications for some time and I can tell you that there are many many different networks that are seperate from the internet to run ATM machines, and to run 911 phone systems. Most 911 systems are rather old actually and still working on traditional phone lines instead of tcp based phone systems. I don't think having airline ticketing systems not working is really going to change our way of life. In cases such as SQLslammer where some ATM machines were impacted. The impact was caused because there were weaknesses in the banking security systems that allowed slammer to propegate inside of the bank networks, which in some cases caused the SQL servers serving up the ATMs to have extreme delays.

    So while there are some cases of being able to find links between the internet and infrastructure networks, they are not the same network.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tony, Tony, Tony...... Why did you have to bring this up?????? I was happy in my little world, minding my own business with only the slightest recollection of stories of a massive attack being perpetrated as we slumber by thousands of Trojans that were being serrupticiously <sp?> planted as we sleep.........

    So, off i go writing a snort rule to see if I can capture traffic of this sort:-

    alert tcp any any -> any any (msg: "Unknown Worm Scan"; Flags: S; Window: 55808; classtype: bad-unknown;)

    Off I go home and slumber as it watches.... I come in this morning and there are alerts.... Well... I expected falses so I don't really see it as a problem until I look a bit harder....<sigh>

    Out of 50 ongoing alerts only 2 come from different machines. 48 are from the same machine, (apparently).... The odd thing is _all_ the connection attempts are to the same IP. What is odder still is that the particular IP they are aiming at does not exist on my network any more but the routes to it partially exist, (it was a temporary external access for a vendor to reach a sister organization's machine). But the plot thickens.... The IP that the single SYN packet is coming from is from an address in an IANA reserved block that will not resolve, ping or tracert. I am running Ethereal right now to capture a number of these packets to see what they are and if they are consistent.

    Thanks for the additional work..... I was getting bored...... ;)

    [EDIT]

    Ok.... I laid my trap and lo and behold I have 7 packets.... all from that IANA reserved address, all to the same, non-existant address, all with TTL's within 2 or 4 of each other, all the same size, all with the same sequence ID.... Yes, the same sequence ID over the period of an hour or so....... Bloody wierd if you ask me. I'm almost tempted to plop a machine out there with that dest address and see if a conversation takes place. They have to be crafted packets though - or am I mislead - I thought the sequence ID began witha random number......

    [/EDIT]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •