[Snort-sigs] anyone have more detail other than window size of 55808 to craft a snort rule for this

Harris, Michael C. HarrisMC at ...1375...
Wed Jun 11 13:03:03 EDT 2003


anyone have more detail?
other than window size of 55808, so we can create a snort rule?

--------------------------------------------------------------------------------------------------

from
http://news.ists.dartmouth.edu/todaysnews.html , 

Title: Is a new Trojan horse at the firewall? 
Source: Government Computer News
Date Written: June 10, 2003
Date Collected: June 11, 2003 
Security experts claim to have discovered a yet-unnamed "third generation Trojan horse" program that appears to be infecting systems on the Internet. Chris Hovis, director of product marketing for Lancope Inc., said that the new Trojan was first identified in May 2003 by a security analyst for a Defense Department contractor, and that both the FBI and the CERT Coordination Center at Carnegie Mellon University had been notified of the threat. The new Trojan listens for specific types of packets that "are believed to contain encrypted instructions for communicating with controllers," but the purpose of the Trojan and the extent of the problem remain unclear. 
http://www.gcn.com/vol1_no1/daily-updates/22371-1.html 

Is a new Trojan horse at the firewall? 

By William Jackson 
GCN Staff

IT security professionals have found evidence that a stealthy new Trojan horse is infecting networks. 

Traffic apparently generated by the as-yet-unnamed malware was first reported in May by a security analyst for a Defense Department contractor, said Chris Hovis, director of product marketing for Lancope Inc. of Atlanta. Lancope announced Monday it had confirmed the behavior of suspicious packets on its own honeynet and on the network of a large university. 

The TCP SYN packets are characterized by a window size in the packet header of 55808. No infected machines have been found, but the Trojan horse apparently listens for packets with this value, which Hovis said are believed to contain encrypted instructions for communicating with controllers. 

"Based on the activity that we have seen, which looks like probes from zombie hosts, there are likely infected machines that are looking for that identifier," Hovis said. 

Because the code of the Trojan horse itself apparently does not include communication instructions, they are difficult to detect with signature based antivirus software. Lancope has described it as a third generation Trojan horse and said the FBI and the CERT Coordination Center at Carnegie Mellon University had been notified. 

CERT would not comment on the report, but said there is nothing significantly different about the threat described by Lancope. 

"There is nothing there that hasn't been seen before," said Mary Lindner, CERT team leader for incident handling. "Every one of these is an event, but the barometer is not rising." 

Hovis said the Trojan's purpose is unclear, as is how widely it is distributed. At the current level of activity the suspicious packets could probe all IP addresses on the Internet every 27 hours. 

System administrators can use tools such as TCPdump, a program that monitors and filters TCP activity, to find out if machines on their networks are sources of the telltale probes. Systems can also be monitored for aberrant behavior, such as unusual amounts of traffic or new ports and services being opened. 




More information about the Snort-sigs mailing list