Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

55808 Trojan Analysis 118

espo812 writes "This analysis of the 55808 trojan that has been circling the internet was just posted on Bugtraq . The good news (i guess?) is that apparentally it is just a proof of concept distributed scanner. The bad news is they think they just caught a copycat version of the origional trojan. ISS also has an analysis."
This discussion has been archived. No new comments can be posted.

55808 Trojan Analysis

Comments Filter:
  • by Scoria ( 264473 ) * <slashmail@ i n i t i a l i z e d.org> on Sunday June 22, 2003 @10:17AM (#6267148) Homepage
    Timothy published [slashdot.org] related information this morning. Perhaps "55808" is attempting to locate Slashdot duplicates. ;-)
    • by espo812 ( 261758 )
      2003-06-22 06:11:55 55808 Trojan Analysis (articles,security) (accepted) That time is GMT. So I submitted it well before the first incarnation of this article was posted. Also, sorry for my bad spelling.
  • by rf0 ( 159958 ) <rghf@fsck.me.uk> on Sunday June 22, 2003 @10:20AM (#6267166) Homepage
    In that as a port scanner normally has to set the desitantion address on the packets to itself to get the results. Along with this packet it also might send out 100's of spoofs. This one on the other hand send out nothing but forged packets

    However as its listening in promiscous mode it detects other packets from other trojans that have the network its on as the spoof address and the collects those results.

    This is what makes its so hard to find,for one reaons

    Rus
    • by Anonymous Coward
      wow!
      1.) quote article
      2.) karma

      now if we could remove the first step and make it

      1.) karma

      then we could add

      2.) profit!
    • This one on the other hand send out nothing but forged packets

      Indeed, but it seems to be sending them almost randomly across the internet...

      as its listening in promiscous mode it detects other packets from other trojans that have the network its on as the spoof address and the collects those results.

      Why does it need another trojan to do the job? If it's listening in on the network, why not just send a packet to the host it wants to find information about? Sure, it can still forge the source IP address

      • Listening for these things is hard, because they're not something routers are particularly good at, and big core routers are especially not good at it. Listening for IP destinations is easy - core routers usually don't do much more than this, and neither do gateway routers between bigger ISPs. Listening for IP sources is harder, and often burns CPU, and listening for TCP or UDP ports is even more likely to burn router CPU, but is still something routers aren't too bad at. Listening for TCP window size i
  • DoItYourself (Score:5, Informative)

    by graf0z ( 464763 ) on Sunday June 22, 2003 @10:27AM (#6267210)
    Analyse (like here [slashdot.org]) the target IPs & ports for Yourself:
    $ screen tcpdump -w /tmp/55808.dump -s1500 -n -i eth0 'tcp and tcp[14:2] = 55808' &

    If You have enough IPs, You'll see the gimmick ...

    /graf0z.

    • a thought just occured to me. Say there was a vulnerability in tcpdump (which there was). Say you could exploit this vulnerability remotely (which apparantly you could, but I might be thinking of something else). Say you wanted to trick a whole load of people into running tcpdump... one way would be to generate a whole load of strange packets and then announce on a public forum that people could use tcpdump to look at these strange packets... :)
  • New /. topic:
    Disassembling trojans online
  • by Bingo Foo ( 179380 ) on Sunday June 22, 2003 @10:32AM (#6267243)
    Their "flagship," the S.S.BOB

    Uh that's a de-leetified 55808 BTW
  • by GillBates0 ( 664202 ) on Sunday June 22, 2003 @10:33AM (#6267250) Homepage Journal
    From the BugTraq Post "The information we've been able to gather leads us to believe that the trojan we have captured is not the original source of the 55808 traffic that has been seen, but is rather a "copycat", created to mimic the behavior of another trojan or worm."

    The information we've been able to gather leads us to believe that the new article we're seeing is not the original source of the odd Slashdot-generated traffic that has been seen on the Internet, but is rather a "copycat", created to mimic the behavior of another article or story.

  • by Anonymous Coward on Sunday June 22, 2003 @10:55AM (#6267362)
    Check out http://news.com.com/2100-1002_3-1019759.html?tag=f d_top [com.com] about this. Looks like there are some conflicting claims about what this trojan is.
  • How does it spread? (Score:2, Interesting)

    by Anonymous Coward
    Every one of these articles mentions that the trojan doesn't self-propagate, it must be installed manually.

    So the obvious question that nobody is asking is, "who is installing this thing on all these servers?". It would have to be either (a) one guy with access to Unix servers all over the world, (b) a conspiracy of people who have such access, or (c) somebody is hacking into these servers to install the trojan - which seems like a much more newsworthy story, I would think.

    Can somebody explain?

    • by freeweed ( 309734 ) on Sunday June 22, 2003 @11:10AM (#6267433)
      The big Samba exploit a couple of months ago left a nice root shell bound to a fixed high port. What's interesting about this is that *many* exploits around the same time shared the same shellcode, and thus the same port.

      Doing some casual scanning at the time, I picked up hundreds of boxes with a root (or other user, local privlege escalation anyone?) shell open on that very port. This was only a couple of hours of scanning; imagine what I could have done given a few weeks.

    • Can somebody explain?
      "Automatic Update"?

      /M$ bashing.

    • My Spirit Guides inform me that the trojan originates at Orrin Hatch's office.

    • Well according to the analysis of the "Copy Cat Trojan", it seems like there is some built in "Self Destruct" code in which it tries to delete itself if it looses contact with the IP that it is supposed to be reporting back to.

      Could it be possible that the trojan code that they found is only part of the original program minus the infectious portion of the code. ie, self modifying code that deleted the portion of itself that performed the installation of the trojan to make iteself appear NOT to be self pr

  • by Anonymous Coward on Sunday June 22, 2003 @11:07AM (#6267423)
    "...ISS also has an analysis."

    They can perform packet sniffing and analysis from orbit?

    Geez, and to all you naysayers who claim that a reduced two-man crew could not get any science done!
  • Mabye this guy is looking for something? 224 and up are used for only god knows what.
  • It's just amazing (Score:5, Insightful)

    by mcrbids ( 148650 ) on Sunday June 22, 2003 @11:50AM (#6267631) Journal
    What I find most amazing is not that these exploits, worms, and trojans exist, or even that there are so many, but rather that there are so few.

    We can all thank our favorite dieties (cowboy Neal included) that economics work out such that those who are most capable of writing a true "nutbuster" malware are typically getting paid to write something more productive!

    Most of these worms and viruses are pretty lame - I read someplace that over 90% of worms and viruses never propogate enough to be "viable" - they are too ineffective to spread.

    The Internet is an amazingly powerful communications medium - but putting your stuff online is somewhat analogous to putting your stuff in the heart of Harlem - since everywhere has a "front door" there.

    The state of security on the Internet is bad, and will get worse before it gets better.
    • How bad is Internet security really? I work with computers for a living, I'm on the Internet almost constantly, and I don't think my life would be noticeably different if the Internet were 100% secure tomorrow. (Except that any practical means to accomplish complete security would probably be very unpleasant in itself).

      • Re:Cool! (Score:3, Insightful)

        by sigwinch ( 115375 )
        ...I don't think my life would be noticeably different if the Internet were 100% secure tomorrow.
        Do not confuse a low probability event with a low severity event.
        • Re:Cool! (Score:3, Interesting)

          by ReTay ( 164994 )
          The point of the parent was not that the Internet is not 100% secure.
          Ever heard of the following project?? Some good coders that got board⦠Care to imagine that would happen to your daily life and work if the Internet dissolved into chaos for a week or so?
          This kind of thought would make the worms and such that we have seen till now the kids toys they are.

          Over year ago, with couple of friends, we started writing a project, called
          'Samhain' (days ago, on packetstorm, I noticed cute program with s
          • The worm could should use as many proporgation methods as possible.

            General wormyness.
            Mass mailing.
            Embeding in HTML files.
            Even macro viruses.

            6. on polymorphism, why not get the worm to recompile it's self if it finds a compiler on the host.

      • Re:Cool! (Score:3, Insightful)

        by MeerCat ( 5914 )
        I don't think my life would be noticeably different if the Internet were 100% secure tomorrow

        Just because you personally aren't suffering from security problems right now means a secure internet wouldn't appear to change things much, but wait until you've been hit with a security related problem that wasted a week of time / lost you $1,000 / lost you your job / destroyed your credit rating / etc. - suddenly a secure internet becomes much more appealing.

        I don't want to sound like I'm being harsh on you,
    • The state of security on the Internet is bad, and will get worse before it gets better.

      That's why I pack my .357 Magnum with hollow point ammo when surfing nowadays.

      (Okay, not really, but I was looking at a Bersa Thunder .380 in the gun store yesterday...)
  • Doing a whois on the trojans default IP (12.108.65.76) if it fails to connect and deliver its list yeilds:

    AT&T WorldNet Services
    12.0.0.0 - 12.255.255.255

    MAY SYSTEMS DBA INTERNET CAFFE
    12.108.65.64 - 12.108.65.127
    • This is weirder... 55808 = 0xDA00 = \r\n\null\null in ascii which would look like end of line, end of file to me, having just written a pop3 database. 12.108.65.76 -> \nlAL in ascii could be some word game, like new line, el AL? DA 00, like russian for yes 00 ( may we say 7 ? ) or yes 00 as in the big 00 null null, like the nuke.
      • 0xDA00 (Score:3, Insightful)

        ...that would only yield { CR, LF, NUL, NUL } on a system with 4-bit chars.

        And, uh, that would be a hard system to get any real work done on, given that there are way more than 15 characters in the alphabet.
  • I'm sick of all of the security breaches in Linux. I'm going back to the warmth and security om MS Windows!

    Y.A.W.B.T.B (Yet Another Windows Bigot To Be)
  • by VCAGuy ( 660954 ) on Sunday June 22, 2003 @01:32PM (#6268101)
    Symantec AntiVirus Research Center has a write-up on 55808 (they're calling it "Trojan.Linux.Typot") at http://www.sarc.com/avcenter/venc/data/trojan.linu x.typot.html [sarc.com].
    • So, it hit less than 2 sites and less than 49 hosts, yet it gets this much publicity? WTF?

      I read the linked article, but I don't believe I read that right.

      • Stumbler is not capable of generating the traffic pattern observed in the initial and ongoing network traffic. Stumbler is the copycat that mimics a few of the publicly known charecteristics of still rising window size 55808 traffic with forged damn near everything.
  • by gmuslera ( 3436 ) on Sunday June 22, 2003 @01:37PM (#6268129) Homepage Journal
    This is not a virus, neither a worm. How one can be er... "infected" by this worm? is available already in rootkits? or distributed with another innocent looking program? This looks like need to be run as root, so have very few ways to spread, mostly depending on the bad behaviour of the system administrator.

    If its very widespread (I not did yet the tcpdump trick :) could mean that it could be attached to something in some way popular, or that is in fact a worm (i.e. taking advantage of some vulnerability to spread, and then do the scanning).

    • It is unlikely, but possible that this is another self
      modify piece of code . A piece of code that re-writes
      itself after stages of accomplishment .

      Once has has infected, remove the infection method so
      as to muddle the tracing process .

      Like a honey bee leaving it's stinger, but the bee dies .

      Part of the code is left to do its part, part is gone .

      If the guy is as smart as the person that wrote the Mr. Leaves
      worm then he may have it sending the data to a shell account
      harvesting on a encrypted network, both
  • by malia8888 ( 646496 ) on Sunday June 22, 2003 @01:55PM (#6268203)
    Press Release: Trojan Condoms will hereinafter be called "Greeks". As any mythology student knows the Greeks and the Trojans in mythology were opponents. The Trojan Company in an effort to distance itself from the "trojans" in the cyber world will change sides in this epic conflict and now refer to their fine product as "Greeks".

    Press Release Number Two: Bill's Bait Shop will now refer to their worms as "Fancy Pink Wriggling Fish Food". Bill's Bait Shop, in an effort to distance itself from the "worms" in the cyber world will now refer to their fine product as "Fancy Pink Wriggling Fish Food".

    • This reminds me, I've always thought trojan was a funny name for a condom. After all, when you say "trojan", what do most people think of? The "Trojan Horse".. which was created to get inside of (was it the walls of troy? I can't remember ATM..) Once inside, it burst open and a bunch of people came out of it to wreak havok on the city. Seems to be exactly what you DON'T want a condom to do, doesn't it? :)
  • How convenient (Score:4, Interesting)

    by Animats ( 122034 ) on Sunday June 22, 2003 @02:25PM (#6268341) Homepage
    Amazing how all these attacks appear, just annoying enough to make people buy "protection" from companies like McAfee, but not damaging enough to force OS vendors to actually design systems that are secure.

    Hmm.

    • Amazing how paranoid some people are :) Go on, what's your take on the JFK thing, or Roswell? :)
      • When was the last arrest of a virus author? 2001? And he turned himself in? Why, with all this "security" effort, aren't more people being caught.
        • Yeah, I was wondering this as well. Before (or during) Code Red it seems the U.S. athorities were actively hunting down virus writers, even in other countries.

          I haven't heard of anything like that since, and there have been a few nasty viruses.

          What gives?
      • Comment removed based on user account deletion
    • Re:How convenient (Score:2, Insightful)

      by ant_slayer ( 516684 )
      Dude,

      Technically, viruses and trojans will never prompt OS vendors to produce "better" products. This is because a virus or trojan does not necessarily take advantage of OS flaws. This trojan, for example, looks for existing backdoors and takes advantage of them. BAT.mumu and W32.deborm, of recent fame, attacked weak passwords (not weak OSs).

      The *concept* of a trojan or virus implies that an idiot user invokes it. If it's the idiot user that introduces the malicious code to the system, then how is tha
      • Viruses and trojans attack social weaknesses -- idiot users that execute attachments in Email, have weak passwords, or download programs from arbitrary web sites.

        Wrong answer. The OS should execute external content in an environment where it can't do anything harmful. That's what mandatory security models are for. Look at NSA Secure Linux.

  • It's his big move on July 17th!

    He's gonna put a big picture of his mug on the White House Web server with his tongue out and an MP3 playing, "Nyah-Nyah-Nyah-Nyah-Nyah"!

    George will have apoplexy and croak! And Saddam beats another George Bush again!

  • by Ex-MislTech ( 557759 ) on Sunday June 22, 2003 @10:50PM (#6270839)
    just a thought here , might check these links below,
    draw your own conclusions .

    http://www.hackology.com/programs/blackangel/gin fo .shtml

    http://www.sans.org/y2k/123199-945.htm

    Excerpt:

    A new Trojan called "Black Angel 2000" has come to our attention and in a beta testing phase by a small group of individuals. Check the text below issued by Munga Bunga taken from alt.2600.hackerz. Speculations from this newsgroup claims it could be a hoax but it is should be taken seriously until proven otherwise.

    Enclosed is an extract of the letter published by Mumga Bunga. Apparently, there are some copies of the software in use by beta testers. This group has a web site at http://www.hackology.com which provides more information.

    Stephen checked yesterday with some of the best people in the US and no one appears to have any insight about this new Trojan and its capability.

    It is possible some of the new unknown ports that have been probed in the past week could be associated with this new Trojan. If anyone within the SANS community have noticed any suspicious files, code, etc that maybe associated with this Trojan, please forward copies and any additional information to mailto:handler@incidents.org

    The following is an extract taken from alt.2600.hackerz:

    Dear prospective Black Angel user.

    This document should contain more information regarding the controversially coded program, "Black Angel"!

    Currently I can tell you that apart from the fact that the program is going to be amazing in itself, there shall be 3 new concepts in Black Angel,concepts that have never been exploited in such software before.

    One of those concepts is the ability to send the server file in the form of MyPic.jpg (with a jpg icon and a jpg extension). This isn't a big deal for us, and we are not referring to it as "revolutionary"! The file would look like a .jpg file in all ICQ transfers, Windows Explorer and Windows Properties (etc), even if they have file extension view enabled, it would still fully look the same (MyPic.jpg). We are yet to test it's appearance in DCC, and we shall soon. Remember I said the file (server) would look like a .jpg file, that shouldn't explicitly refer to any of the files true characteristics, properties or attributes! That's all I'll say regarding this concept.

    Remember, we don't think that's a "revolutionary" concept, not at all, it's nothing. Just another concept which would make Black Angel good software.

    The other two concepts relate to the "revolutionary move" that Black Angel is taking. I can not say anything else but the following...

    The second concept is to do with interface development and real time interactivity between the client program and the user. Here, we are taking the coded GUI to a new level, definitely a level that almost all of you have never even seen before! We are trying to make the program as "human" as possible, you can expect to see some amazing features.

    The third concept is to do with hiding your true Identity on the Internet this is by far the most important concept. If you have heard of the freedom project, I can tell you that freedom is NOTHING compared to the "freedom capabilities" of Black Angel! You would be able to do, what you never thought possible. In addition, it's all, obviously free!

    Also, our software is being built from scratch, we are worried about the factor of "time", we are trying to meet the deadline. But it's not easy to code, as you can imagine, and it is not a clone of any other lame software product either (for those of you who made such claims).

    I know there are some copies of Black Angel floating around, please dispose of them immediately, distribution of our beta software would not be gladly looked upon! Feel free to distribute this letter, however, to those who request more information. Current state: I'm finishing up the remote explorer and
  • by thogard ( 43403 ) on Monday June 23, 2003 @06:26AM (#6272052) Homepage
    This appears to be research efforts of guys who are working for the big spamers.

    What they want to do is be able to crack say 100 well connected servers. Each of those servers will send out packets with a forged source address of the other hacked servers. Some spamers are putting it all in one packet but its trivial to have sendmail check the buffer size after the HELO has come it. No real MTA will send anything extra. (Don't confuse this with Pipelining which allows the rest of the data to be sent in one packet). So now a spamer must send an inital tcp handshake and a HELO packet. If you keep track of the inital sequence number, you can have another server send the rest of the data.

    Most firewalls don't deal with this well. Some MTA's will have issues as well and it may find ways through spam filters. Keep in mind most firewalls only check the 1st packets and once the stream is set up, it just passes the packets through without any other checks.

    The solution to this is to get major ISPs to not send packets where both addresses aren't in their space but that will be bad news for dual homed sites.
  • I looked at this subject and thought it was about a Trojan asteroid. Me: "Why is this important enough for Slashdot? And why isn't it in the science section?" 55808 was discovered in 1994, but I don't know if it's a Trojan or not.

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...