Traffic with 55808 tcp windows size: news.

["Fabio Panigatti" <ml-panigatti () minerprint it>]

I went through a lot of tests in the past weeks in order to track the suspect
hidden trojan or backdoor on my host targeted by this kind of traffic. One of
those tests was to permit outgoing traffic for some "suspect" applications by
means of a SOCKS proxy (forward is not enabled from this host to the rest of
the world). From Jun 20 the suspect incoming traffic changed target: now the 
new target is the proxy ip address. No more 55808 packets destined to the old
address until now. 

I'll try to provide more information on the next days.


Fabio

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------