RE: sdbot variant and port 55808 activity

["Kester, Kelly" <KesterK () scott disa mil>]

FYI ---- k2

Security experts finally have a handle on mystery malware that was
generating loads of suspicious IP traffic over the last few weeks.
Researchers at Internet Security Systems Inc. say the culprit, which was
first thought to be a new breed of Trojan, is actually a distributed network
mapping tool that also acts as a listening agent.  Dubbed Stumbler, the
agent is not considered malicious right now because it contains no payload,
but it has the potential to generate enough IP traffic to hamper network
performance.
What has experts most concerned is the ease with which Stumber could be
reprogrammed to make it more damaging.
"We're really more interested in the next version because it could easily
become a worm," said Dan Ingevaldson, team lead on ISS' X-Force research and
development team in Atlanta, which tracked down the Stumbler agent. "You
should defnitely remove it if you find it. And you should be concerned about
how it got there because someone had to put it there intentionally.
"It's not very advanced," Ingevaldson added. "The complexity and the
elegance of the network is what makes it good."
ISS officials said it's impossible to say how many machines have been
infected with Stumbler, though the amount of traffic being generated by the
agent, which scans random IP address and looks for other versions itself,
indicates at least several hundred infections.
The agent captured by ISS is in Linux binary, but researchers say it could
easily be ported to other platforms and likely will be.
News of the code capture comes as a relief to investigators from several
agencies, including the FBI and the Department of Homeland Security, which
were also tracking the rogue IP activity.
Stumbler first appeared around May 16 and began randomly scanning
Internet-connected machines. The scanning was slow at first but began to
pick up speed in recent days as more machines have become infected.  ISS
researchers were seeing nearly 3,000 scans an hour earlier this week across
the entire address space that the company monitors.
Stumbler scans random ports on random machines, each time sending an initial
SYN packet. One of the few identifiable characteristics of the program is a
window size of 55808 on each of the packets it transmits.  It also spoofs
the originating IP address on all of the packets, making them look as if
they're coming from machines in unallocated name space. The window size led
some to speculate that the malware was related to the Randex IRC bot, but
experts now say the TCP window size is coincidental.
ISS said it was alerted to the existence of the mystery agent by an employee
at a defense contractor and later notified both the FBI and the CERT
Coordination Center.

 -----Original Message-----
From:   Joe Stewart [mailto:jstewart () lurhq com] 
Sent:   Wednesday, June 18, 2003 9:45 AM
To:     intrusions () incidents org
Cc:     list () dshield org; incidents () securityfocus com
Subject:        sdbot variant and port 55808 activity

While researching an IRC zombie infection for a third party, I came across
a variant of sdbot which is hard-coded to send TCP packets with a window
size of 55808 in its spoofed-synflooding function. Could this be the
"next-gen" trojan that Lancope found? If so, it redefines the term next-gen,
because sdbot is pretty much old-school.

The particular variant I found is _not_ the well known "sdbot SYN edition"
by Tesla. The packet construction subroutine is entirely different. Based on
what I have seen here and in the firewall logs from as far back as January,
I feel that  there is a snippet of C being re-used in the underground and it
uses a default window size of 55808. I've seen it used in broadscanning, 
and now as a synflooder.

Here is an example command used in the IRC control channel to start a 
synflood with this version of sdbot. 192.168.1.21 is the address to be
spoofed while attacking 192.168.1.1:

$syn 192.168.1.1 6000 20 192.168.1.21 6666

Here is a capture of some of the resulting packets:

07:26:51.048897 192.168.1.21.6666 > 192.168.1.1.6000: S
693933104:693933104(0) 
win 55808
0x0000   4500 0028 0a34 0000 8006 ad35 c0a8 0115        E..(.4.....5....
0x0010   c0a8 0101 1a0a 1770 295c 9430 0000 0000        .......p)\.0....
0x0020   5002 da00 6374 0000 0000 0000 0000             P...ct........

07:26:51.049000 192.168.1.21.6666 > 192.168.1.1.6000: S 
3950185482:3950185482(0) win 55808
0x0000   4500 0028 0a35 0000 8006 ad34 c0a8 0115        E..(.5.....4....
0x0010   c0a8 0101 1a0a 1770 eb73 0c0a 0000 0000        .......p.s......
0x0020   5002 da00 2983 0000 0000 0000 0000             P...).........

07:26:51.049096 192.168.1.21.6666 > 192.168.1.1.6000: S 
2692113931:2692113931(0) win 55808
0x0000   4500 0028 0a36 0000 8006 ad33 c0a8 0115        E..(.6.....3....
0x0010   c0a8 0101 1a0a 1770 a076 660b 0000 0000        .......p.vf.....
0x0020   5002 da00 1a7f 0000 0000 0000 0000             P.............

I have passed the binaries I have found along to the AV community, so 
anti-virus signatures at least for the variants I have found should be
forthcoming. 

Of course, this still doesn't explain the weird source and destination 
IP addresses and ports we are seeing since last month, but based on
this I seriously doubt it is a covert channel. Maybe someone is just 
testing a new implementation of the synscanning code in a distributed 
manner, and has some bugs to work out.

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's
to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------







----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------