Re: Intrusec 55808 Trojan Analysis

[<gwhy555 () yahoo com>]

In-Reply-To: <008d01c3371a$fd5417d0$be01a8c0@ian>


Say, could you explain a little further on the paragraph that reads:

"The trojan appears to contain some functionality to change the IP
address it delivers its packet captures to, but this functionality is
not operational in the trojan we have obtained.  It appears the stubbed
out code, if activated, would function as follows:  If a packet is
captured that contains a window size of 55808 and a TCP option window
scale of 2, the trojan modifies the IP address packet captures are
delivered to based on the sequence number of that packet."

Specifically what effect would this have if it were to be made 
operational. I'm not really a tcp pro but I am interested in what this 
thing might look like in the near future. 

much appreciated.

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------