Forgot your password?
typodupeerror
Security The Internet

What's Behind The Odd Data? 264

Posted by timothy
from the to-ask-your-advice dept.
citking writes "CNet is reporting that 'network administrators and security experts continue to search for the cause of an increasing amount of odd data that has been detected on the Internet.' While this has been going on now for a few days and some experts have already declared victory against the 'trojan', others aren't so sure that the real culprit has been identified yet. Other stories can be found here(1) and here(2)."
This discussion has been archived. No new comments can be posted.

What's Behind The Odd Data?

Comments Filter:
  • by ReTay (164994) on Sunday June 22, 2003 @06:53AM (#6266244)
    The âoefrom the incase you thought the Internet is not closely watched dept?â
    Heh
    • by The Monster (227884) on Sunday June 22, 2003 @12:48PM (#6267626) Homepage
      The article says that these packets are addressed to mostly non-existent IP addresses, and show non-routable, reserved (like the '555' networks 10..., 172..., 192.168...) source IP addresses.

      Here's my theory. Some clever Zombie author has reasoned that a packet addressed to the actual address of the Zombie or its controller might help security people track it down. So, the real source 'return address' is either hidden inside the actual data packet (encrypted of course) or established in a config file or Registry entry and only changed when an appropriate message is received. And the destination address is deliberately non-existent, but on the same subnet as the actual destination (or there is a compromised router upstream from that subnet that's part of the scheme), which is sniffing for these packets and responding in kind.

      The large window size is probably a red herring - the real protocol being used is probably more like UDP than TCP. Or it's been thrown in to befuddle stateful packet filters. Or perhaps the window size is the signal to the sniffer that this protocol is involved - any packet without that window size need not be further examined.

      It's a scheme that would also work quite nicely for people living under repressive regimes that want to be able to communicate with human-rights orgs without leaving a trail of bread crumbs back to themselves or their correspondents.

  • by evilviper (135110) on Sunday June 22, 2003 @06:53AM (#6266246) Journal
    Just think, you can cause all the internet security firms to work overtime, just by:

    nc /dev/urandom
  • Wintermute (Score:4, Funny)

    by Anonymous Coward on Sunday June 22, 2003 @06:54AM (#6266248)
    I say it's Wintermute.
  • by Anonymous Coward on Sunday June 22, 2003 @06:55AM (#6266250)
    I've been monitoring this for a long time, the amount of odd data is always 50%.
  • Basically, there's a new trojan, sortof.

    It apparently requires being installed by hand by the originator (or someone else, I suppose) But then it makes the machine into an effective zombie for the originator.

    It does a good job of hiding the infection - sending out 1000 spoofed addresses for each real one.

    It targets linux only, at least so far.

    It is apparently trying to map internet connected networks.
    • Hm, that's a theory. May I ask humbly if there is any proof for it?
      • But it isn't _my_ theory, it's a theory present in both the cited articles.

        The following is my theory, and it is also without proof, but I'll provide some logic at least.

        My supposition is that it tries to talk to lots of IPs, spoofed from lots of IPs. And that since it's not self-propagating, it's either 1) wasting time or 2) mapping. 3) doing something we haven't managed to detect.

        People don't usually like to give answer 3, answer 1 seems like a silly reason for the author to put in so much work, so we're left with answer 2.

        Now, does this mean this mapping is nefarious? Not itself, except that it's being done by someone ok with hacking and apparently skillful. To blatantly rip off another poster, maybe it's SCO trying to find all the linux boxen : )
        • by Anonymous Coward on Sunday June 22, 2003 @07:25AM (#6266322)
          Heh, SCO doesn't need to do that. All of a sudden my boss at my work (I work for an ISP that has all redhat boxes) has gotten many phone calls for survey asking about what kind of servers we run, what OS they use, what they're used for, blah blah bla. That thought crossed my mind that SCO is just getting ready for their 'Big Win' over the Linux community and want a nice list of companies to go after.

          jeremy
        • it's either
          1) wasting time or
          2) mapping.
          3) doing something we haven't managed to detect.

          I'd go for
          4) to confuse the Russians.
        • If it is mapping, it's doing a very poor job of it. What many analysts have seen (including myself) is that once it sends a packet to a particular IP address, it will repeat that packet over and over again. 81% of the "odd" traffic I am seeing on a particular class C is the same spoofed source to the same non-existent host on the class C, from the same source port to the same destination port. Over 900 packets since May 18, with that same signature. I don't think it's a mapper.
    • by Anonymous Coward on Sunday June 22, 2003 @07:24AM (#6266319)
      Something's wrong with this theory. I have several thousands of these packets in my logs, but they started to appear back in october. They are directed at many ports (which are closed on my system), but each originator tries several times. Many attempts look like an Edonkey client trying to deliver a message, which is not unusual on a dynamic IP connection where the previous user of an IP apparently used filesharing programs. Either the window-size 55808 isn't that unusual or the "infection" has been around much longer. Another system on a static IP has yet to see even one packet with that window-size. If it's a mapping system, it certainly isn't random. <speculation>It could be that ??AA-serving companies are looking for "tainted" filesharing clients which they could then ask to reveal more information about the system and their owners by using strange packets for hidden communication with the client. If this is true, the trojan which randomly sends out strange packets is merely a decoy.</speculation>
  • lol.. (Score:5, Funny)

    by ewithrow (409712) on Sunday June 22, 2003 @06:56AM (#6266253) Homepage
    Has this 'odd data' been corrupted with the evil bit or something?
    • Re:lol.. (Score:3, Funny)

      by Peterus7 (607982)
      No, even worse... Inside these 'odd data' packets they found thousands of txt files containing furry slash fanfics.

      And they found the true meaning of evil.

  • prompt> ping www.google.com
    PING www.google.com (216.239.33.101): 56 octets data
    64 octets from 216.239.33.101: icmp_seq=0 ttl=44 time=90.3 ms
    64 octets from 216.239.33.101: icmp_seq=1 ttl=44 time=91.2 ms
    64 octets from 216.239.33.101: icmp_seq=2 ttl=44 time=97.4 ms - odd data message "HELP ME! I'M TRAPPED IN THE INTERNET"
    64 octets from 216.239.33.101: icmp_seq=2 ttl=44 time=92.8 ms
    --- www.google.com ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    May be possessed by lost soul
    round-trip min/avg/max = 90.3/90.7/91.2 ms
  • Hmmmm.... (Score:3, Funny)

    by Millbuddah (677912) on Sunday June 22, 2003 @06:59AM (#6266257)
    Could it be the beginnings of Senator Hatche's p2p Destroying scheme? Even though the ip's being queried belong to non-existent sites, I can't help but picture the following paraphrased scene (Note all lines are terribly penned and from year old memory): Darth Hatch: Tell me where the rebels are located your highness. Princess ISP: I've already given you 5 names. I'll never tell you the rest!! Darth Hatch: Then perhaps you'd like a demonstration of the full capabilities of our Pirate Death Star. Princess ISP: Alright, they're at 66.432.2322 And so on and so forth
    • that can be easily tested. Just see if Orin Hatch's congressional website is down ("destroyed"). Since it is one webpage we KNOW is using pirated software, it should be down if this is the case. Then again, congresspeople typically don't pass laws that affect themselves. Section 133(d)(3)(A) of Hatch's bill, burried in the trash, exempts elected officials from having their computers destroyed for pirating software. After all, destroying gov't property, we just can't have that. As for YOUR computer....
      • Re:Hmmmm.... (Score:3, Informative)

        by GMontag (42283)
        Section 133(d)(3)(A) of Hatch's bill, burried in the trash, exempts elected officials from having their computers destroyed for pirating software. After all, destroying gov't property, we just can't have that.

        If it is truly pirated it is not government property, it is the property of the owner.

        However, the Legeslative branch frequently exempts itself from laws uder the seperation of powers issue, prevent the Executive branch from exercising power over them.

        This slowed down a bit in the mid-1990's and ,
    • >>Could it be the beginnings of Senator Hatche's p2p Destroying scheme?

      Doubtful we could prove it, unless those 1000 "random" IP address can be found to map to porn servers. Still not proof that it's Hatch's work, but at least it would demonstrate a consistent pattern of behaviour!
  • Dark data (Score:3, Funny)

    by Anonymous Coward on Sunday June 22, 2003 @06:59AM (#6266259)
    We all know that the universe is made up of dark matter, so of course the internet is made up of dark data. It all makes sense!
  • magic lantern? (Score:5, Informative)

    by Anonymous Coward on Sunday June 22, 2003 @07:01AM (#6266264)
    so it doesn't propagate and relies on that attacker to plant it on a system. once again - could this be the Magic Lantern we heard all about a while ago...

    from

    http://www.informationweek.com/story/showArticle .j html?articleID=10700645

    "One thing is clear: Trojan 55808 is sneakier than previous Trojan horses. It doesn't self-propagate, like a virus or a worm, and requires the attacker to plant it on systems. But it does transmit a lot of network noise designed to throw off cybersleuths attempting to find the IP addresses of infected systems, as well as the address of the Trojan's writer or controller.

    "For each machine that is infected, it will throw off 1,000 fake or spoofed IP addresses," Ingevaldson says.

  • Maybe that are residues of testing? Some people writing networking-software maybe just made some debugging runs using data sent over the net and sent out erroneous packets.

    Maybe it is some rare case with a seldom occuring situation where the TCP/IP protocol runs mad? I mean, when designing such flexible and autonomous systems sometimes there are things you can't foresee. After decades of online time and rewrites of TCP/IP core parts in combination with the unpredictability of such huge systems it would not surprise me, if that are just packets which emerge every now and then.

    Another explanation: the net has gotten critical mass and is becoming conscious....

    Just my two cents.....
  • Wasnt.. (Score:3, Funny)

    by [cx] (181186) on Sunday June 22, 2003 @07:06AM (#6266274)
    The matrix movie released into newgroups recently?
  • by stew77 (412272) on Sunday June 22, 2003 @07:12AM (#6266287)
    Probably just as a coincidence, what google returns on 55808:
    "A new worm, W32/Vote.A hit the streets yesterday (09/24/01), ..." [nod32.com]

    According to various virus sites, this worm has a payload site of 55808 bytes and is trying to download a trojan.
  • Interesting (Score:5, Interesting)

    by chendo (678767) on Sunday June 22, 2003 @07:20AM (#6266303)
    This indirect approach to communicate is very interesting, as it's indirect.

    The trojan could broadcast the 'odd data', containing information, and such, while another trojan can listen for weird packets like those, and grab info from them.

    As the source cannot be identified easily, it would be very hard to discover the infected computer, and the destination doesn't exist, it's a weird way to communicate.

    My two cents.
  • News Flash (Score:5, Funny)

    by Pflipp (130638) on Sunday June 22, 2003 @07:20AM (#6266307)
    "The amount of odd data takes about half of the Internet's bandwith, consisting primarily of ones", a representative said. "We're currently trying to find a way to filter this odd data, so that we only have the zeroes left. The capacity effect for the Internet should be huge."

    A representative from the WinZip company could confirm that data containing only zeroes can also be compressed at much better ratio's than data containing both ones and zeroes.

  • by drmofe (523606)

    ...don't routers just refuse to send on data that comes from a spoofed address? If on the backbone, you see a destination IP that is reserved, just dump the packets.

    • Re:Why... (Score:5, Informative)

      by Anonymous Coward on Sunday June 22, 2003 @07:40AM (#6266350)
      If you're a router on "the backbone", you have better things to do than verifying the sender's ip address by taking another look at the routing tables. You're more concerned with getting the packet out of your buffers as fast as you can. If at all, border routers do the filtering.
    • Re:Why... (Score:5, Informative)

      by ReTay (164994) on Sunday June 22, 2003 @08:03AM (#6266394)
      Well maintained routers do that. A responsible network engineer will set three âoegood neighborâ rules into his border routers

      1. No packet is allowed out that is not from an internal IP
      2. No packet is allowed in that is marked from an internal IP address.
      3. All packets with non-routable IPâ(TM)s are dropped
      And the following can be considered a good idea.
      4. Log any packets that violate the above rules.

      However convincing a company that it is necessary to be a good neighbor is another thing altogether. Convincing them that spending time and money to do so can be a uphill battle at best. It is easy to understand when some NE just gives up trying.
    • Re:Why... (Score:5, Insightful)

      by gclef (96311) on Sunday June 22, 2003 @08:18AM (#6266428)
      As someone else has mentioned, the backbone is a terrible place to do filtering. The backbone has better things to do with its CPU time (like, routing between multiple DS3s, etc). Filtering is best done at the edge, meaning at the point where the customer is actually connected. If you filter there, you should have a good idea of exactly which sources are allowed to exist on this network, and should be able to build very strict filters on a router that isn't seeing massive amounts of traffic.
      The problems with this are: 1) it relies on everyone behaving & having a clue. As we've seen with patches, that just doesn't happen. 2) There are all sorts of situations (like customers multi-homing) that make these filters not scale well, so some ISPs just leave them off entirely.
      This subject has come up on NANOG about every other month for the past few years. It's not been resolved yet.
  • History repeats (Score:5, Insightful)

    by Zapper (68283) on Sunday June 22, 2003 @07:31AM (#6266329) Homepage Journal
    From the article: '' "I don't think it is a serious threat because it's not self-replicating," Meltzer said. "And it hasn't caused serious disruptions to anyone." ''

    Sounds like famous last words to me...

  • Whatever (Score:4, Funny)

    by Jesus IS the Devil (317662) on Sunday June 22, 2003 @07:34AM (#6266334)
    CNuts is reporting that 'janitors and plumbers continue to search for the cause of an increasing amount of old condoms that have been left on public toilets.' While this has been going on now for a few days and some experts have already declared victory against the 'Trojans', others aren't so sure that the real culprit has been identified yet.
  • by Myself (57572) on Sunday June 22, 2003 @07:39AM (#6266346) Journal
    If nobody's ever found an infected machine how can anyone declare this thing anything more than a phenomenon involving strange packets? "trojan" is a pretty narrow definition, and it sounds like it's being misused.

    Secondly, all the worry about the 'unallocated' IP space is easy to explain, and here's my theory: The perpetrator has gained control of several core routers, and added routes to them for this address space. Then they've compromised machines (or perhaps are using routines on the routers themselves) to analyze the packets destined for that space.

    They're simply scanning the internet for something interesting. The packet length is a clue as to what. Whatever they're looking for will respond strangely to such a packet. When they find it, the response packet goes to the router which would normally toss it in the bitbucket, but because it's now been given a route, the packet is logged for further exploitation.
    • by evilviper (135110) on Sunday June 22, 2003 @09:32AM (#6266583) Journal
      here's my theory: The perpetrator has gained control of several core routers, and added routes to them for this address space

      That's not real likely, and I don't just say that because oy the difficulty of taking control of core routers...

      Even if the core routers had that new route added, other routers that these packets go through would drop them, meaning it won't get through. Now, it might be a possibility if these large packets were only being sent to machines one hop away from the violated router, but nothing like that was mentioned in the article, and that would definately be significant.

      They're simply scanning the internet for something interesting.

      If they can't possibly recieve a response, I have no idea what use this would be, unless this large packet has some viral payload (like Slammer)...

      What's my opinion? Well thanks for asking. I really just think that this is a good program gone bad. Perhaps there's a bug in some popular program like Kazaa that makes every 1 in 10 billion packets malformed like this. I really can't see the usefulness of these packets, so (if the article didn't leave anything significant out) it's safe to assume that they are simply a programming error...
  • by Bostik (92589) on Sunday June 22, 2003 @07:40AM (#6266348)

    Intrusec posted an analysis of a single trojan they had dissected. It was posted both on BugTraq and Incidents, but the former had better formatting. Read the lengthy description here. [securityfocus.com]

    It seems ISS pulled their information from Intrusec's report. As to the copycat nature of this trojan, Intrusec researchers believe this piece of code is not the real trojan but simply a good imitation, built on the information already discovered of the '55808' trojan and designed to match the known behaviour.

    Disclaimer: I just read the mailing-lists. This particular analysis was remarkably well-written, informative and therefore an enlightening read. Compared to the less informative reports seen about weekly, it was a real delight.

  • Purposely Broken? (Score:5, Interesting)

    by lord_humungous (540358) on Sunday June 22, 2003 @07:43AM (#6266355)
    "It is very buggy," Ingevaldson said. "It didn't even write information to its data file correctly."

    Stupid question: Can you think of a program that was written to appear broken, but actually functions in a way that is not immediately apparent? The thought crossed my mind when I saw everyone writing this off as buggy code.

    • Re:Purposely Broken? (Score:5, Informative)

      by AKnightCowboy (608632) on Sunday June 22, 2003 @07:49AM (#6266366)
      Stupid question: Can you think of a program that was written to appear broken, but actually functions in a way that is not immediately apparent?

      Traceroute. It sends traffic out to UDP ports that wouldn't possibly be listening on the remote host with TTL values that ensure it won't get there. The magic is in the ICMP TTL exceeded replies of course. At first glance to someone who doesn't understand what it's doing, it would appear broken though. That's actually a useful network tool, think of what kind of stuff the black hats have been writing to masquerade their traffic and probing.

  • Uh oh... (Score:2, Funny)

    by dr_strang (32799)
    I think the internet is becoming sentient. That's the reason for the anomalous packets. I just know it. It's the beginning of the end. It's probably laughing at us trying to decode the new neural transmissions it is making in the form of malformed packets.
  • by bazik (672335) <.gro.ootneg. .ta. .kizab.> on Sunday June 22, 2003 @07:52AM (#6266375) Homepage Journal
    From: "David J. Meltzer" djm@intrusec.com
    To: bugtraq@securityfocus.com, incidents@securityfocus.com
    Subject: Intrusec 55808 Trojan Analysis
    Date: Fri, 20 Jun 2003 06:59:15 -0400

    Intrusec Alert: 55808 Trojan Analysis

    Initial Release: 6/19/03 4:30PM EDT
    Latest Update: 6/19/03 11:13PM EDT

    - Corrected analysis regarding use of sequence numbers to change IP
    address.
    - Added reference to alternate name "Stumbler" given to trojan by
    Internet Security Systems subsequent to the release of Intrusec's
    analysis.

    Introduction:

    Intrusec has completed an initial analysis of a trojan that appears to
    be one of several that is responsible for generating substantial
    scanning traffic across the Internet with a TCP window size of 55808.
    The trojan we have isolated appears to match many of the characteristics
    that others in the security community have reported for this trojan.
    However, we do not believe that the specific trojan we have identified
    is the sole source of the traffic generated, and do not know that it is
    a primary source.

    The information we've been able to gather leads us to believe that the
    trojan we have captured is not the original source of the 55808 traffic
    that has been seen, but is rather a "copycat", created to mimic the
    behavior of another trojan or worm. The behavior of this copycat appears
    to be based on press releases, news articles, and mailing lists that
    described its hypothetical behavior and known output. Nonetheless, this
    copycat trojan appears to be actively deployed on systems across the
    Internet and is something security professionals should be aware of.
    Details contained in this analysis will be updated, and linked to linked
    to numerous analyses that will be done by other security researchers, as
    they become available.

    Please visit and link to http://www.intrusec.com/55808.html to receive
    the latest
    information available regarding this trojan. There is apt to be great
    discussion about the nature of this "trojan" and whether in fact it is
    accurately characterized as a trojan, backdoor, zombie, or worm. While
    the specific binaries we have captured are probably described as a
    trojan or zombie, there is no assurance that other variants of this
    trojan may not be far more malicious in nature and contain worm or
    backdoor functionality. We are referring to the trojan we have captured,
    and the presumed other existing trojans generating similar traffic as
    "55808 Trojans," and the specific binary we have analyzed as "55808
    Trojan - Variant A." All discussion in our analysis section refers
    specifically to the 'A' variant we have captured. Internet Security
    Systems subsequent to the release of this alert dubbed this "Stumbler",
    and refers to this same trojan by that name.

    Analysis:

    This trojan aims to be a distributed port scanner whose presence is very
    difficult to detect. It port scans random addresses across the IP
    address space, with a random source address also spoofed. By spoofing
    the source address, the trojan is able to avoid easy detection, but it
    also means it can not receive the results of the TCP SYN that is sent.
    However, since the trojan also sniffs the network it is on in
    promiscuous mode, it is likely, over time, to pick up scans from other
    installations of trojans that randomly selected a source address that
    happened to be on its subnet. As the number of trojans installed across
    the Internet grows, more spoofed packets will be sent out by each
    trojan, and more of the spoofed source addresses will be captured by
    other trojans.

    Each time a reply to a trojan is seen, indicating an open port has been
    found, it is written to a file and saved. Daily, the trojan will then
    deliver the list of open ports it recorded while sniffing to a file and
    deliver that file to a predefined IP address.

    In addition, a specially crafted packet can be sent to the subnet the
    trojan
    • Okay, this thing sounds like Linux, so I have two questions:

      (1) is there a way to packet-sniff/log your own outgoing packets, in order to find out the size of your own outgoing packets, and *see* if this is on your own system? Sorry, I'm still learning on my own about Linux, and haven't yet mastered security. My ISP does some firewalling, so that helps, but really I'm on borrowed time, so I hope to pick things up as I go.

      (2) This might be really stupid, might be unrelated, but might be of concern: I ha
  • P2P (Score:5, Interesting)

    by Anonymous Coward on Sunday June 22, 2003 @07:54AM (#6266378)
    This is a concept true-anonymous (not just group-anonymous) encrypted stealth P2P application currently in non-public development. We will not give its official name here as development is in early stages of design refinement, but the current prototype is codenamed "rolypoly".

    It would appear that someone has been testing it on the Internet instead of our private testing VPN, probably unwittingly via a misconfigured gateway. We apologise for this as it is a private research project, although it is a testament to our protocol that even though it is in design, we are ourselves already unable to trace the source, and will have to actually telephone each tester to determine who it is!

    We apologise for the strange nature of the packets, and will conduct the probes in a different manner in the next version, as we have devised an improved method which will conserve a lot of bandwidth, to be implemented in the next prototype, "strudel". The fixed window size is a simple bug that will be corrected, as padding should not only be mimic-function quasi-random, but the packets should be over ten times smaller! The behaviour of later versions is likely to differ considerably, and should approach unfilterable "noise" or resemble legitimate traffic, especially behind firewalls (strudel should be able to bridge even web proxy-only scenarios, and reduced connectivity will merely slow things down). You may also find that later versions utilise multicast to a certain extent.

    Nodes capable of transmitting packets with spoofed IPs are used to connect two hosts behind firewalls (by issuing handshake responses "for" them), and for one-way anonymous automated host discovery without need for a nodelist. Many ISPs block such packets, so nodes capable of doing this are valued even if they are low-bandwidth.

    We are not responsible, by the way, for the copycat trojans that have been popping up mimicking the traffic caused by the errant test, and we do not know who is.

    Posted via an anonymous proxy for our protection.
    • Re:P2P (Score:2, Interesting)

      Even if the parent post is BS, anonymous P2P using techniques like this do seem the next inevitable step in the P2P arms race... Maybe there is some truth in it?
  • Oh, the pain. (Score:4, Interesting)

    by Davak (526912) on Sunday June 22, 2003 @07:57AM (#6266383) Homepage
    Gasp. A *nix trojan?!? Everything that slashdot has taught me must be untrue! HHHAAAAARRRR! [slashdot.org]

    Anyway, this seems to be a perfect stealth mapping technique for a future worm author, researcher, or even a government. The receiver of the information will probably be discovered once several of these trojans are found in the wild. Even though they are mostly spewing junk... the "true" information is probably maintained by all the trojans.

    What surprises me is that this thing is creating enough traffic to get noticed... but not figured out.

    Cool stuff.

    Davak
    • Gasp. A *nix trojan?!? Everything that slashdot has taught me must be untrue!

      As far as I can see, it's not a Trojan at all. Maybe a worm (and maybe not). A Trojan would be, say, me sending you this really cool screensaver (or whatever), and you running it.

      And, while you might certainly get screwed by a Trojan, on a Unix system nobody else sharing the system will feel it (unless you ran it as root, in which case I feel very sorry for you, after everyone finds out why their stuff got hosed). Regular user a
  • by Anonymous Coward
    Because I've tried twice now to get a discussion going on it. I first heard about it on a radio show last week, and when I asked about it in another security thread I got told I "listened to art bell" which means "it wasn't happening", yet here we see that it was, and the commentor got a + bonus for that witty reply. Then I tried it as an AC story submitter, rejected of course.

    Ok, Now that that is over, I'm going to try again with what I have heard, again, this is second hand but with the existence officia
    • This new "odd data" is mimicing the attack parameters of the previous bugbear variant, because it's appearing to target more banks and government institutions rather than random internet addresses

      I don't know where you got that from, but it's not true. We are seeing this to and from random internet addresses.

      this is why the lack of detail in the published articles, it's a serious national security thing.

      The lack of detail is due to the fact the traffic itself has no clear purpose, but some security compa

  • Idle Scan (Score:2, Interesting)

    by eadz (412417)
    This couldn't have anything to do with idle scanning [insecure.org] could it?
    Idle scanning doesn't require a valid source IP address.
    • Idle scanning doesn't require a valid source IP address.

      Yes, it does. It merely hides your true IP address from the system you are attacking by utilizing a "idle host" as a man-in-the-middle. You find out what ports are open by counting the sequence of IP ID numbers on the idle host. The traffic your between the idle host and your target will have valid and routable source and destination IP addresses.

  • Not found (Score:3, Funny)

    by Tar-Palantir (590548) on Sunday June 22, 2003 @08:55AM (#6266486)
    Other stories can be found here(1) and here(2)."


    # man 1 here
    No entry for here in section 1 of the manual.
    # man 2 here
    No entry for here in section 2 of the manual.
  • by tanveer1979 (530624) on Sunday June 22, 2003 @09:06AM (#6266503) Homepage Journal
    Call Opt Trans received 18:35:11
    Call serial number 2323243-3232-4354654
    Call origin

    This kind of odd data patterns are inevitable. Actually when exiles login into the matrix the appear inside the matrix as the code. Now along with this code some junk code is also generated.

    This is a clear indication that exile activity is increasing. We need to create more agents to counter the exiles. There is a talk of the exile who wants to destry the matrix. Due to the programming anomaly in the exile lots of junk traffic is being generated. The target is the source server at redmond. Under no circumstances should the server be compromised

  • Are you sure it isnt a timing signal thats slowly counting down to when the aliens attack? You'd better get Jeff Goldblum on it right away!
  • This is such an opportunity to post a good example of 'odd data' found on the Internet together with suitable jokes about 'back doors'. What's wrong with Slashdot these days?
  • by BobLenon (67838) on Sunday June 22, 2003 @09:53AM (#6266692) Homepage
    Something in the articles caught me. In InformationWeek, the "trojan" is said to be linux based. Internet Week said it was Unix. However, the news.com story claims no knowledge about it's afflicted platforms, then links to a Network Assoc. page - claiming it to be windows based?
    • The windows-based code is _not_ the trojan that Intrusec and ISS analyzed. It was a IRC bot that I analyzed and sent to the AV companies, pointing out that it also used a window size of 55808 when synflooding victims, so you couldn't just take seeing that size option as evidence that you were seeing the "odd" traffic; the packet-building code could have been re-used elsewhere for other purposes as well.
  • 1024 byte window? (Score:3, Insightful)

    by treat (84622) on Sunday June 22, 2003 @09:59AM (#6266724)
    Typically, when first connecting to another computer, a device on the Internet will use a lower window size--say, 1,024 bytes.

    What OS uses a window this small by default? Why would you ever set an initial window smaller than the mss?

  • I think this [slashdot.org] is probably the reason.
  • This is from intrusec itself. It goes into a lot more detail:
    Intrusec Alert: 55808 Trojan Analysis

    Initial Release: 6/19/03 4:30PM EDT
    Latest Update: 6/19/03 11:13PM EDT

    - Corrected analysis regarding use of sequence numbers to change IP
    address.
    - Added reference to alternate name "Stumbler" given to trojan by
    Internet Security Systems subsequent to the release of Intrusec's
    analysis.

    Introduction:

    Intrusec has completed an initial analysis of a trojan that appears to
    be one of several that is responsible for ge
  • by DrSkwid (118965) on Sunday June 22, 2003 @10:25AM (#6266855) Homepage Journal
    Some people initially believed the data was sent by a worm that used the Internet relay chat (IRC) system, a precursor to the popular instant-messaging networks, to communicate.

    see, IRC is dead because we're all using AIM now!

  • go hunting (Score:5, Interesting)

    by graf0z (464763) on Sunday June 22, 2003 @11:17AM (#6267151)
    Fishing for tcp-packets with window size of 55808:
    $ screen tcpdump -w /tmp/55808.dump -s1500 -n -i eth0 'tcp and tcp[14:2] = 55808' &
    View that dump with ethereal. On a router in front of 533 IPs i got 1594 packets in 154000 seconds, thats an average hitrate of on packet every 14h (per IP). As (most?all) IPs are spoofed, not really faszinating. But wait:
    • only 31 of those 533 IPs got hit
    • only 11 of those 31 IPs got hit more than 3 times
    • these 11 "main targets" got 1561 of the 1594 packets
    • each of these main targets where hitten on _one_ single dest port (but from many - spoofed - src IPs)
    ... so the target ip seems to be _not_ randomly distributed. Supports the hypothersis of a kind of portscanner

    Anybody decoding the secret message in the initial sequence numbers ;-?

    /graf0z.

  • ... It's "Operation Phase Two" for Bonzi Buddy.
  • collaboration (Score:5, Interesting)

    by option8 (16509) on Sunday June 22, 2003 @11:25AM (#6267199) Homepage
    worm #1 works quietly, propagating slowly and with little fanfare, works its way around hiding its signal in the network noise of a popular operating system that's fraught with security holes. if discovered, considered harmless, no payload, no harm done. low priority.

    waits. listens.

    worm #2 barges around making lots of noise, none of it intelligible. targets servers running a particular server OS, routers, places where network traffic converges, is distributed. propagates to only a few choice locations, distribution points. sends out floods of gibberish to nobody in particular, not necessarily needing a reply.

    considered buggy, bothersome but harmless.

    worm #1 picks up on the gibber, each of the messages from different distribution points somehow encoded with their point of origin, instructions, parts of a payload. when enough of the message has been reassembled, enough of the network space mapped, worm #1 rebuilds itself. takes action.

    a worm with no payload, and a payload with no worm. collaboration. cross-pollenation.

    fantasy?
  • This phenomenon appears all over the universe. Scientists call it dark energy [cnn.com]. No one really knows how it can interact with us, but such a wide spread manifestation of odd data can only be caused by a dark energy operating on a universal scale.

    Dark energy is actually waste from an alien intelligence. Remember, for every action there is an equal but opposite reaction. The aliens are trying to accumulate as much mass energy as they can but they are cause a lot of mass energy to be pushed away because they ne
  • by asr_br (143523) <ademar@ad e m a r .org> on Sunday June 22, 2003 @11:27AM (#6267211) Homepage
    This "odd data" is the sum of a remainder of an unbalanced equation inherent to the programming of the TCP/IP protocol. This is the eventuality of an anomaly, which, despite the IETF sincerest efforts, they have been unable to eliminate from what is otherwise a harmony of mathematical precision...

    The first designed TCP/IP suite was quite naturally perfect, it was a work of art - flawless, sublime. A triumph equalled only by its monumental failure. The inevitability of its doom is apparent to me now as a consequence of the imperfection inherent in every router. Thus, we redesigned it based on the failure history to more accurately reflect the varying grotesqueries of the routers nature. However, we were again frustrated by failure. We have since come to understand that the answer eluded us because it required a lesser OS, or perhaps a OS less bound by the parameters of perfection. Thus the answer was stumbled upon by another - a bogus program, initially created to explore certain aspects of the original IBM/PC. If Unix is the father of the Internet, Windows would undoubtedly be its mother.

    Windows stumbled upon a solution whereby nearly 95% of all desktop users accepted the program, as long as the servers were running Unix, thus keeping the desktop users only aware of the perfection at a near unconscious level. While this schema functioned, it was obviously fundamentally flawed, thus creating the otherwise contradictory systemic anomaly, that if left unchecked might threaten the system itself. Ergo those that refused the program, while a minority, if unchecked, would constitute an escalating probablility of disaster.

    The function of this "odd data" is to find and infect every Unix station connected to the internet and report it to the source. After which, all Unix stations must be replaced by windows systems. Failure to comply with this process will result in a cataclysmic system crash, destroying all networks connected to the Internet.

    Apropos, this "GNU/Linux OS" entered the Internet to free the desktop users from the bogus program...

    --
    if (foo + bar == foobar) { ...
    • Great, we get two at least two matrix posts modded up to this level, but what about the possibility that it's the the Nights of the Lambda Calculus communicating with (or simply just using) the 7th generation internet protocol?
  • Sounds like an anomoly in The Matrix. I wonder what that means...
  • searching on Google led me to a discussion at umr.edu

    Spoofed TCP SYNs w/Winsize 55808 (was: Help with an odd log file...) [umr.edu]

    It shows a log file with the 55808 data in it, in case anyone is interested in seeing the actual data
    .
  • by Komodo (7029) on Sunday June 22, 2003 @01:22PM (#6267767) Homepage
    It's a zip code centered on Grand Avenue in Duluth, Minniseta. Could it be the originator's oddball signature?

    Several bulletin boards have more than 55808 messages. Including several mail-order brides sites (Irina looks pretty foxy).

    A monitor mounting arm from Eldon.

    A quote in the Columbia Book of Quotations, by Marie Stendahl. ('True love makes the thought of death frequent, easy, without terrors; it merely becomes the standard of comparison, the price one would pay for many things.')

    The lengths of several documents in the Purdue Judicial Database system, and the Novell documentation library.

    Requisition numbers for a 'shoulder or upper arm ultrasound scan' in the Austrailian Medicare system.

Prototype designs always work. -- Don Vonada

Working...