Re: more info on ramen.tgz

[Daniel Martin <dtmartin24 () HOME COM>]

"Jeffrey F. Lawhorn" <jeffl () wanet net> writes:

> One more thing I've noticed about the synscan in the ramen.tgz, it
> sends a TCP packet to 212.184.80.190 port 80 from port 31337 after
> it finishes scanning each /16.
>
> Unfortunately I was unable to capture any of the actual packets.
> Did anyone else manage to capture one of these packets?

This is actually part of the regular synscan tool - it just uses this
packet to mark the end of the line.  There's nothing special about the
data in the packet and 212.184.80.190 is www.microsoft.de; that's so
that this end packet doesn't look suspicious at all.

Synscan works by having many separate processes each do part of the
TCP connection.  The main process forks off a child process that sends
out SYN packets to all the hosts in the /16; meanwhile the main
process listens (via pcap) for responses.  When it gets a response,
the main process forks off another child to check the specific
vulnerabilities on that host.  When the main process sees the packet
to www.microsoft.de, port 80 from port 31337 go by, it knows that the
child process has sent scans off to every host it was supposed to, and
can now quit.

Read more details in the actual synscan source code:
http://www.psychoid.lam3rz.de/synscan.html

In other news, I've updated my analysis of the ramen worm (minor
changes) and put it up at
http://members.home.net/dtmartin24/ramen_worm.txt