[Snort-sigs] tcp window size 55808 SYN packets

Paul_Drapeau at ...1594... Paul_Drapeau at ...1594...
Wed Jun 11 14:06:10 EDT 2003


All,

I am seeing these packets at my gateways at a rate of about 400-500 per day
(this is a class C address block).

I went back through some sniffer data I have kept from May 12th on and here
is the rate of window size 55808 SYN packets per day... (date -- count)

051203 -- 10
051303 -- 2
051403 -- 2
051503 -- 7
051603 -- 4
051703 -- 6
051803 -- 11
051903 -- 5
052003 -- 5
052103 -- 7
052203 -- 4
052303 -- 4
052403 -- 6
052503 -- 7
052603 -- 10
052703 -- 21
052803 -- 29
052903 -- 38
053003 -- 49
053103 -- 46
060103 -- 58
060203 -- 74
060303 -- 123
060403 -- 166
060503 -- 279
060603 -- 369
060703 -- 332
060803 -- 343
060903 -- 423
061003 -- 452


Here is a sample of the packets I am seeing...

00:05:05.984679 200.149.221.147.1025 > xxx.yyy.zzz.201.49119: S [tcp sum
ok] 1909619508:1909619508(0) win 55808 <mss 1460,nop,wscale
2,nop,nop,sackOK> (ttl 110, id 42456, len 52)
00:09:31.536052 203.46.197.9.8837 > xxx.yyy.zzz.158.25400: S [tcp sum ok]
1358132952:1358132952(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 30930, len 52)
00:14:46.776985 117.47.18.59.48370 > xxx.yyy.zzz.6.27733: S [tcp sum ok]
662795553:662795553(0) win 55808 <mss 1412,nop,wscale 2,nop,nop,sackOK>
(ttl 107, id 28650, len 52)
00:14:58.398477 84.243.62.182.62414 > xxx.yyy.zzz.123.64799: S [tcp sum ok]
362299764:362299764(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 12029, len 52)
00:17:34.078316 203.46.197.9.8837 > xxx.yyy.zzz.158.25400: S [tcp sum ok]
1358132952:1358132952(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 112, id 30930, len 52)
00:22:06.076506 95.10.166.38.42128 > xxx.yyy.zzz.201.49119: S [tcp sum ok]
1909619508:1909619508(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 111, id 18197, len 52)
00:24:09.801093 128.70.122.235.28084 > xxx.yyy.zzz.148.11925: S [tcp sum
ok] 2210115553:2210115553(0) win 55808 <mss 1460,nop,wscale
2,nop,nop,sackOK> (ttl 109, id 54364, len 52)
00:25:00.996838 117.47.18.59.48370 > xxx.yyy.zzz.6.27733: S [tcp sum ok]
662795553:662795553(0) win 55808 <mss 1460,nop,wscale 2,nop,nop,sackOK>
(ttl 108, id 62460, len 52)



Paul Drapeau
Lead Network Engineer, Security
Vertex Pharmaceuticals
Voice - 617-444-6806





|---------+------------------------------>
|         |           "Harris, Michael   |
|         |           C."                |
|         |           <HarrisMC at ...1595...|
|         |           ssouri.edu>        |
|         |                              |
|         |           06/11/2003 04:01 PM|
|         |                              |
|---------+------------------------------>
  >-------------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                                     |
  |       To:       <intrusions at ...473...>, <snort-sigs at lists.sourceforge.net>                                                      |
  |       cc:                                                                                                                           |
  |       Subject:  anyone have  more detail other than window size of 55808 to craft a snort rule for this                             |
  >-------------------------------------------------------------------------------------------------------------------------------------|




anyone have more detail?
other than window size of 55808, so we can create a snort rule?

--------------------------------------------------------------------------------------------------


from
http://news.ists.dartmouth.edu/todaysnews.html ,

Title: Is a new Trojan horse at the firewall?
Source: Government Computer News
Date Written: June 10, 2003
Date Collected: June 11, 2003
Security experts claim to have discovered a yet-unnamed "third generation
Trojan horse" program that appears to be infecting systems on the Internet.
Chris Hovis, director of product marketing for Lancope Inc., said that the
new Trojan was first identified in May 2003 by a security analyst for a
Defense Department contractor, and that both the FBI and the CERT
Coordination Center at Carnegie Mellon University had been notified of the
threat. The new Trojan listens for specific types of packets that "are
believed to contain encrypted instructions for communicating with
controllers," but the purpose of the Trojan and the extent of the problem
remain unclear.
http://www.gcn.com/vol1_no1/daily-updates/22371-1.html

Is a new Trojan horse at the firewall?

By William Jackson
GCN Staff

IT security professionals have found evidence that a stealthy new Trojan
horse is infecting networks.

Traffic apparently generated by the as-yet-unnamed malware was first
reported in May by a security analyst for a Defense Department contractor,
said Chris Hovis, director of product marketing for Lancope Inc. of
Atlanta. Lancope announced Monday it had confirmed the behavior of
suspicious packets on its own honeynet and on the network of a large
university.

The TCP SYN packets are characterized by a window size in the packet header
of 55808. No infected machines have been found, but the Trojan horse
apparently listens for packets with this value, which Hovis said are
believed to contain encrypted instructions for communicating with
controllers.

"Based on the activity that we have seen, which looks like probes from
zombie hosts, there are likely infected machines that are looking for that
identifier," Hovis said.

Because the code of the Trojan horse itself apparently does not include
communication instructions, they are difficult to detect with signature
based antivirus software. Lancope has described it as a third generation
Trojan horse and said the FBI and the CERT Coordination Center at Carnegie
Mellon University had been notified.

CERT would not comment on the report, but said there is nothing
significantly different about the threat described by Lancope.

"There is nothing there that hasn't been seen before," said Mary Lindner,
CERT team leader for incident handling. "Every one of these is an event,
but the barometer is not rising."

Hovis said the Trojan's purpose is unclear, as is how widely it is
distributed. At the current level of activity the suspicious packets could
probe all IP addresses on the Internet every 27 hours.

System administrators can use tools such as TCPdump, a program that
monitors and filters TCP activity, to find out if machines on their
networks are sources of the telltale probes. Systems can also be monitored
for aberrant behavior, such as unusual amounts of traffic or new ports and
services being opened.









More information about the Snort-sigs mailing list