June 17th, 2003 09:24 PM
Ok.... I laid my trap and lo and behold I have 7 packets.... all from that IANA reserved address, all to the same, non-existant address, all with TTL's within 2 or 4 of each other, all the same size, all with the same sequence ID.... Yes, the same sequence ID over the period of an hour or so....... Bloody wierd if you ask me. I'm almost tempted to plop a machine out there with that dest address and see if a conversation takes place. They have to be crafted packets though - or am I mislead - I thought the sequence ID began witha random number......
Sorry to create more work for you. :-)
So, we have some bizarre Trojan out there sending these mysterious packets.
Who knows how many of the millions of home users are 0wn3d by this thing? Is this some impending Internet apocalypse waiting to happen?
I am not a packet-sniffing expert- is it possible for ISP's or companies to block these packets? Do they have a unique footprint you can block on aside from the packet size? I would think if you blocked all packets of that size you would lose some legitimate packets as well.
June 17th, 2003 09:33 PM
I was going to ask about all this new traffic to high port numbers (our firewall has been blocking it for a week or two now) but you beat me to it. As with Tigershark, most of the traffic is coming from the same IP address.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
June 17th, 2003 09:58 PM
While this should be true some banks are cheep and use DSL lines connecting to a VPN that runs over the internet to connect to their ATM's . BOA would be a prime example (the CIA should know better)
Originally posted here by mohaughn
This is not quit true. I have worked in telecommunications for some time and I can tell you that there are many many different networks that are seperate from the internet to run ATM machines, and to run 911 phone systems. Most 911 systems are rather old actually and still working on traditional phone lines instead of tcp based phone systems. I don't think having airline ticketing systems not working is really going to change our way of life. In cases such as SQLslammer where some ATM machines were impacted. The impact was caused because there were weaknesses in the banking security systems that allowed slammer to propegate inside of the bank networks, which in some cases caused the SQL servers serving up the ATMs to have extreme delays.
So while there are some cases of being able to find links between the internet and infrastructure networks, they are not the same network.
June 17th, 2003 10:12 PM
I know where you are coming from and I agree that this represents a good portion of the home user market.
You gotta have a friend somewhere that is really bright, knows their business inside out but reaches the limit of their computer knowledge about 3 seconds after the login screen has disappeared...... 'cos I do...... If I say hello to them on the phone their eyes glaze....<LOL>.... Mention a firewall and if they are in the auto business they wanna know how the fire protection for the engine compartment of their car is going to prevent viruses....... This stuff is just voodoo to them, sadly enough, and they really have no intention of ever delving deeper then knowing how to reply to Uncle Jeb's dirty joke emails......<s>
However, I reach the limit of my automobile knowledge as soon as I start the car and turn on the radio. If you start talking about cylinders, transmissions and other car stuff- my eyes glaze over. That does not excuse me from knowing how to operate the vehicle safely and I still must know and agree to abide by the mandated safety regulations when I drive.
Ignorance does not make it right. If you want to be ignorant of the safety precautions of the road they will take away your license to drive or throw you in jail. If the general public wants to remain ignorant of the safety precautions necessary to use the Internet they should have their privileges revoked.
I agree we're along way off from any such rules and regulations and one of the first concerns would be who gets to draw the lines and who gets to penalize the rule-breakers. But, I don't think its impossible to enact such rules.
June 18th, 2003 01:43 AM
CXG: Wanna share the ip address? Mine starts 101.149...... sPort 26888....dPort 58333. I get others too, (a few, like incidental, but really they appear not to be....) I just looked at the logs..... different ip....not even close..... sPort 1025/same.as.above.... DPort 58533.... Sorry.... I see a pattern forming on my stuff.... Do you see one on yours? I need to isolate all of them but I don't have their packet dumps..... I'll look in the morning to see what the Seq num is and post it here.... If they are all showing the same info and yours are too then something is up and it isn't _that well_ hidden right now.....
Odder then hell if you are seeing the same..... I fear patterns.... They imply things I might not understand...<s>
Tony: I'm not ignoring you...... I just hit that little fascination level of mine that says "wow, but it's late and I have to go to bed so I can function effectively in the am"..... Old age is a right B@$tard.....
that sequence number is 2299977341 and it is _always_ the same regardless of the source IP.... It has to be crafted.... I am getting some packets from machines that resolve - 1 from OZ springs to mind.... I might send a syn packet to it and sniff any response...... But then again I might not.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
June 20th, 2003 12:39 PM
ISS found the culprit. Read about it here
Experience is something you don't get until just after you need it.
June 20th, 2003 12:44 PM
Very interesting little program. It should be interesting to see how long it takes someone to turn it into a worm.
Thanks for the heads up SirDice.
June 20th, 2003 01:30 PM
Experience is something you don't get until just after you need it.
June 21st, 2003 01:43 AM
Interestingly, their analysis still leaves a lot of questions. This excerpt is from Intrusec who published the first TCP 55808 analysis:
This insight and having read all of the articles SirDice posted here plus some other summaries and analyses led me to the following questions:
The information we've been able to gather leads us to believe that the trojan we have captured is not the original source of the 55808 traffic that has been seen, but is rather a "copycat", created to mimic the behavior of another trojan or worm. The behavior of this copycat appears to be based on press releases, news articles, and mailing lists that described its hypothetical behavior and known output. Nonetheless, this copycat trojan appears to be actively deployed on systems across the Internet and is something security professionals should be aware of.
You can read my article here: Researchers "Stumble" Onto Mystery Trojan
If the code that was captured is indeed copycat code, where is the original? Are there other variants that can propagate and infect other systems? Are there versions in existence for operating systems other than Linux? Are there versions of this Trojan which have destructive capability or payloads built in already?
Any thoughts from anyone? Reminds me of the movie Jaws when they caught a shark but not the shark. Is the real shark still out there? If this is just copycat code- maybe the real problem is still out there and maybe it does propagate and contain malicious code and maybe the IP address changing packet does work.
Not to be a doomsayer, but it seems ominous.
June 22nd, 2003 01:14 AM
a story about a worm
Any kind of worm really freaks me out. I don't have as much expertise as you two seem to have, but I could get behind a theory like that. At school I'm on a T-1 line in the dorm and we share lots of stuff and play games like Half-life:Counterstrike all the time. When I hooked into the network I already had Norton Firewall installed and when people started playing Counterstrike (which I got into later) the firewall came up saying that I was being port-scanned. (it would *only* say this while people were playing Counterstrike on the network) Naturally, not having experienced anything like this before, I became paranoid. The system administrator said that it was just my computer having a strange reaction to hooking into the network......I think he's a moron but ok, I went along with it and I downloaded the game onto my computer from one of my friend's over the network and started playing with my friends and I stopped getting the warnings from the Firewall. The next day I updated the anti-virus and scanned it and it found a trojan/worm/whatever-the-hell it was and quarantined it. I then went *back* to the system administrator and spoke to him about it and he said he'd "look into it". Meanwhile I realized it was probably attached to the game so I checked some of the other guy's computers with some free anti-trojan scanner I found online. I found it on all of the computers of the people who let me do the scan. The point to this whole *book* I've written you is that I was the *only* person with a firewall and the only person who's anti-virus was up to date. The trojan spread like wildfire because the game was so popular at my school and *nobody* had any protection against it and our system administrator couldn't care less about the infection. k, I'm done and I know this isn't about the particular worm you're talking about but you can see how easily a worm/trojan can spread and how little resistance it encounters. Thanks for reading