Security Incidents mailing list archives
Re: Intrusec 55808 Trojan Analysis
From: Valdis.Kletnieks () vt edu
Date: Mon, 23 Jun 2003 21:20:13 -0400
On Sun, 22 Jun 2003 06:30:26 -0000, gwhy555 () yahoo com said:
"The trojan appears to contain some functionality to change the IP address it delivers its packet captures to, but this functionality is not operational in the trojan we have obtained. It appears the stubbed out code, if activated, would function as follows: If a packet is captured that contains a window size of 55808 and a TCP option window scale of 2, the trojan modifies the IP address packet captures are delivered to based on the sequence number of that packet." Specifically what effect would this have if it were to be made operational. I'm not really a tcp pro but I am interested in what this thing might look like in the near future.
What this means is that it can (if activated) change the "ET Phone Home" address on the fly. Let's say it's current phone-home is 199.45.12.24. To change it to (say) 209.134.56.97, we just inject a packet for it to hear that has: window == 55808 Window Scale == 2 sequence == 3515234401 ( == 209 * 256**3 + 134 * 256**2 + 56*256 + 97). and poof, it calls the new address. So whoever owns it injects a few packets with those characteristics, destined to a few listeners. Those then start using those numbers and letting the backscatter carry the message to more listeners. After a short while, all the listeners are pointing to the new IP address. Or something like that - I've been in my office too many hours today. ;)
Attachment:
_bin
Description:
Current thread:
- Intrusec 55808 Trojan Analysis David J. Meltzer (Jun 21)
- <Possible follow-ups>
- Intrusec 55808 Trojan Analysis David J. Meltzer (Jun 21)
- Re: Intrusec 55808 Trojan Analysis gwhy555 (Jun 23)
- Re: Intrusec 55808 Trojan Analysis Valdis . Kletnieks (Jun 24)
- RE: Intrusec 55808 Trojan Analysis David J. Meltzer (Jun 24)
- Re: Intrusec 55808 Trojan Analysis Peter Busser (Jun 25)
- Re: Intrusec 55808 Trojan Analysis Philippe Bourgeois (Jun 27)