Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Trojan Picks Up Steam, Baffles Experts

From: InfoSec News <isn () c4i org>
Date: Thu, 19 Jun 2003 05:05:13 -0500 (CDT)
http://www.eweek.com/article2/0,3959,1130754,00.asp

By Dennis Fisher
June 18, 2003 

A new Trojan that has been making its way around the Internet in 
recent weeks continues to baffle security experts, who have been 
unable to get a good handle on its behavior. 

The Trojan apparently made its first appearance around May 16 and 
began randomly scanning Internet-connected machines. The scanning was 
slow at first but has begun to pick up speed in recent days as more 
machines have become infected. Researchers at Internet Security 
Systems Inc. in Atlanta have been seeing nearly 3,000 scans an hour on 
Tuesday across the entire address space that the company monitors. 

The Trojan scans random ports on random machines, each time sending an 
initial SYN packet. One of the few identifiable characteristics of the 
program is a window size of 55808 on each of the packets it transmits. 
It also spoofs the originating IP address on all of the packets, 
making them look as if they're coming from machines in unallocated 
name space. 

ISS has been tracking the Trojan for about a month and has yet to find 
a copy of its code or successfully trace it back to an infected 
machine. Other security vendors and officials at the Department of 
Homeland Security are also tracking the Trojan, all without any luck 
so far. 

"We still don't have a good idea where it's going or if it's 
communicating with anyone," said Pete Allor, manager of X-Force Threat 
Intelligence Services at ISS. "I don't want to say I'm close, but I'm 
closer than I was yesterday." 

Researchers have been frustrated by the Trojan's random behavior, 
which has helped it elude capture. One of the few nuggets of 
information that experts have at this point is that a portion of the 
hex code in the packets the Trojan sends contains the term "day 0." In 
security circles, the phrase "zero day" is often used to describe 
attacks on vulnerabilities that have just been discovered. 

Despite the problems tracking the Trojan so far, Allor believes it's 
only a matter of time before someone gets a handle on it. When he does 
find it, Allor is eager to peek into the Trojan's code and see what 
makes it tick. 

"This is a new one. It piqued our curiosity really quick," he said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: