Re: New trojan running in port 12345?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Tue, 19 Dec 2000 23:30:21 -0600 Martin H Hoz-Salvador
<mhoz () citi com mx> wrote:

Hi Martin,
          I saw something like this a while back, several hundred
netbus scans over a period of about two weeks.  The scans peeked in the
weekends then trailed off.  Network blocks on either side of ours did
not see the scans.   I eventually tracked down another site in
Australia who had seen the same thing.  Source IPs were all dialup or
cable/dsl belonging to major ISPs with a lot in Korea (210.0.0.0/7) as
you observered, but also with a sprinkling from big North American
providers.

I came to the conculusion that this was a trojan that was being
actively distributed via IRC or ICQ and which targeted our address
space specifically. One charactoristic of the traffic I saw (same with
the Australian site too) was that the destination addresses always
started at 11 (I'm guessing this is a typo for 1).  Only one class C
was scanned and many scans stopped before they got to 254.  I am
guessing that the trojan is some sort of game and since the scan is
relatively slow (it takes about 20 minutes to scan a /24) them people
quickly tire of the game and kill it leaving the scan 'unfinished'.

I reported all the scans to respective ISP along with a description of
what I suspected was happening and asked that IPSs would get in touch
with their customers and verify the story.  Only one go back to me and
that was nearly two weeks after the incident and the customer could not
remember anything useful.

I also suspect that the source of this activity is in Korea.

Cheers, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand