Security Incidents mailing list archives

Re: Intrusec 55808 Trojan Analysis

From: Peter Busser <peter () trusteddebian org>
Date: Wed, 25 Jun 2003 09:02:04 +0200

Hi!

Since it can be delivered anywhere
on the subnet the trojan is listening promiscuously on, it is difficult
to figure out where the trojan is actually located even upon capturing
this command.


But you can also use that command to your own advantage. Simply regularly
inject messages which will make the trojan try to contact a machine you own.
The trojan will then expose itself.

Groetjes,
Peter Busser
-- 
Adamantix - Taking high-security Linux out of the labs, and into the world.
http://www.adamantix.org/

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

Intrusec 55808 Trojan Analysis David J. Meltzer (Jun 21)
- <Possible follow-ups>
- Intrusec 55808 Trojan Analysis David J. Meltzer (Jun 21)
- Re: Intrusec 55808 Trojan Analysis gwhy555 (Jun 23)
  - Re: Intrusec 55808 Trojan Analysis Valdis . Kletnieks (Jun 24)
  - RE: Intrusec 55808 Trojan Analysis David J. Meltzer (Jun 24)
    - Re: Intrusec 55808 Trojan Analysis Peter Busser (Jun 25)
- Re: Intrusec 55808 Trojan Analysis Philippe Bourgeois (Jun 27)