[Snort-sigs] SID 106

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Fri Mar 1 06:42:28 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan";
seq: 101058054; ack: 101058054; flags: A;reference:arachnids,445; sid:106;
classtype:misc-activity; rev:3;)
ACKcmd is an ACK remote access  tunneling 'program'. It is used primarily to
defeat packet filtering firewalls, by establishing a connection using ACK packets.
The server side operates on port 1054, while the client end operates on port 80.
There are two sides, a server side and a client side.
The trojan was written as a 'proof of concept' trojan, to show how a trojan could
work, only using ACK packets. The trojan currently only works on Windows 2000
This trojan grants the attacker a shell on the attacked machine. This trojan is
not considered much of a threat as it does not autoload on reboot, and can be
easily removed.
Detailed Information:
Systems Affected: Windows 2000

The trojan is distributed in two parts. Ackcmdc.exe. and Ackcmds.exe, the former
is the client and the latter is the server. The server runs on port 1054, and the
client on port 80 (as this is a commonly allowed port). The trojan grants a shell
to the client program. Scanning the internet, a would-be attacker can find hosts
with this trojan running, and could possibly exploit the system.
Attack Scenarios:
The conditions for an attack are limited. By some reports, the server places a
drain on system resources, and causes the system to slow down noticeably. The
trojan also relies on the system being unguarded, or only protected by a packet
filtering firewall. If the attack meets these conditions, the attacker could
upload/download files, manipulate files, reboot the machine, or gather data from
the machine to work towards further exploits.
Ease of Attack:
Moderate to Hard, due to the conditions.
False Positives:
This rule could be triggered by normal web surfing, which happens to meet the
specified criteria. Also, simply being scanned is not an indication that the
trojan exists on your machine.
False Negatives:

Corrective Action:
There exist a variety of software and anti-virus measures to remove this trojan.
Rebooting the machine will stop the server, after reboot, remove the file
Christopher Lubrecht chris_lubrecht at ...382... initial research
Additional References:
arachnids 445



Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

More information about the Snort-sigs mailing list