Re: Intrusec 55808 Trojan Analysis

[Valdis.Kletnieks () vt edu]

On Sun, 22 Jun 2003 06:30:26 -0000, gwhy555 () yahoo com  said:

> "The trojan appears to contain some functionality to change the IP
> address it delivers its packet captures to, but this functionality is
> not operational in the trojan we have obtained.  It appears the stubbed
> out code, if activated, would function as follows:  If a packet is
> captured that contains a window size of 55808 and a TCP option window
> scale of 2, the trojan modifies the IP address packet captures are
> delivered to based on the sequence number of that packet."
>
> Specifically what effect would this have if it were to be made 
> operational. I'm not really a tcp pro but I am interested in what this 
> thing might look like in the near future. 

What this means is that it can (if activated) change the "ET Phone Home"
address on the fly.  Let's say it's current phone-home is 199.45.12.24.
To change it to (say) 209.134.56.97, we just inject a packet for it
to hear that has:

window == 55808
Window Scale == 2
sequence == 3515234401 ( == 209 * 256**3 + 134 * 256**2 + 56*256 + 97).

and poof, it calls the new address.  So whoever owns it injects a few packets
with those characteristics, destined to a few listeners.  Those then
start using those numbers and letting the backscatter carry the message
to more listeners.  After a short while, all the listeners are pointing to
the new IP address.

Or something like that - I've been in my office too many hours today. ;)

Attachment: _bin
Description: