Interesting People mailing list archives
more on Weird web data foxes experts
From: Dave Farber <dave () farber net>
Date: Wed, 25 Jun 2003 15:18:06 -0400
------ Forwarded Message From: M Taylor <mctaylor () privacy nb ca> Date: Wed, 25 Jun 2003 20:13:00 +0100 To: Dave Farber <dave () farber net> Subject: Re: [IP] Weird web data foxes experts
From: Bob <bob () bobrosenberg phoenix az us> Security experts are keeping an eye on strange packets of data that could herald new hack attacks.
<http://www.securityfocus.com/archive/1/326149/2003-06-15/2003-06-21/2> ... This trojan aims to be a distributed port scanner whose presence is very difficult to detect. It port scans random addresses across the IP address space, with a random source address also spoofed. By spoofing the source address, the trojan is able to avoid easy detection, but it also means it can not receive the results of the TCP SYN that is sent. However, since the trojan also sniffs the network it is on in promiscuous mode, it is likely, over time, to pick up scans from other installations of trojans that randomly selected a source address that happened to be on its subnet. As the number of trojans installed across the Internet grows, more spoofed packets will be sent out by each trojan, and more of the spoofed source addresses will be captured by other trojans. ... ISS's X-Force -- "Stumbler" Distributed Stealth Scanning Network http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22441 what I can make of it is that is appears to be based on concepts discussed but not previously seen implemented, and it appears that this may be a prototype release for a more effective and possibly more malicious worm/trojan. I am not clear if this is self-propagating or not, so I don't know what exactly to call it. A lot of intrusion analysts and firewall admins are seeing traffic from these scans. It is also not clear now well it is working. I suspect that given past track records of how long it has taken to clean up systems from high impact attacks versus "low-impact" i.e. does not prevent day-to- day business functions, it might be tolerated enough to gather a large enough database from its scanning. -mct ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on Weird web data foxes experts Dave Farber (Jun 25)