ISS Security Brief: "Stumbler" Distributed Stealth Scanning Network (fwd)

["Peter E. Johnson" <rottz () securityflaw com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This advisory isn't as good as intrusec's but the snort rule for 'Tron' is 
helpful to detect infected hosts.

alert tcp any any -> 12.108.65.76/32 22 (msg:"Stumbler Trojan";)

Intrusec's Advisory:
http://www.intrusec.com/55808.html

- ---------- Forwarded message ----------
Date: Thu, 19 Jun 2003 23:52:16 -0400 (EDT)
From: X-Force <xforce () iss net>
To: alert () iss net
Subject: ISS Security Brief: "Stumbler" Distributed Stealth Scanning Network

- --[PinePGP]--------------------------------------------------[begin]--
Internet Security Systems Security Alert
June 19, 2003

"Stumbler" Distributed Stealth Scanning Network

Synopsis:

X-Force has been tracking reports of suspicious and widespread Internet
traffic with a TCP Window size of 55808. A substantial amount of traffic
captured from sites around the world point to a new distributed port
scanning system. X-Force has analyzed malware that appears to be a client
capable of scanning and receiving network mapping data from other similar
clients distributed across the Internet. X-Force has named this malware,
"Stumbler".

For the complete ISS X-Force Security Alert, please visit:
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22441

______


About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.


Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved
worldwide.


Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If
you wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforceiss.net for
permission.


Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforceiss.net of Internet Security Systems, Inc.

- --[PinePGP]-----------------------------------------------------------
gpg: Signature made Thu 19 Jun 2003 11:50:27 PM EDT using RSA key ID 7DF5E1BD
gpg: Good signature from "X-Force <xforce () iss net>"
gpg: Fingerprint: AB 47 94 77 68 8F 75 94  73 28 87 51 39 97 FB F8
- --[PinePGP]----------------------------------------------------[end]--
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+8paUX3lbyIti9jYRAgzaAJ4+XFR72X7A+DokbB3OMdj1w6ceRgCfXTJs
D8LDK95CM2VtyLym/pPB/kk=
=oQUX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html