Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Weird web data foxes experts

From: Dave Farber <dave () farber net>
Date: Wed, 25 Jun 2003 15:18:06 -0400

------ Forwarded Message
From: M Taylor <mctaylor () privacy nb ca>
Date: Wed, 25 Jun 2003 20:13:00 +0100
To: Dave Farber <dave () farber net>
Subject: Re: [IP] Weird web data foxes experts


From: Bob <bob () bobrosenberg phoenix az us>

Security experts are keeping an eye on strange packets of data that could
herald new hack attacks.


<http://www.securityfocus.com/archive/1/326149/2003-06-15/2003-06-21/2>

...
This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans.
...

ISS's X-Force -- "Stumbler" Distributed Stealth Scanning Network
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22441


what I can make of it is that is appears to be based on concepts
discussed but not previously seen implemented, and it appears that
this may be a prototype release for a more effective and possibly
more malicious worm/trojan. I am not clear if this is self-propagating
or not, so I don't know what exactly to call it. A lot of intrusion
analysts and firewall admins are seeing traffic from these scans. It
is also not clear now well it is working. I suspect that given past
track records of how long it has taken to clean up systems from
high impact attacks versus "low-impact" i.e. does not prevent day-to-
day business functions, it might be tolerated enough to gather
a large enough database from its scanning. -mct


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: