[Snort-sigs] anyone have more detail other than window size of 55808 to craft a snort rule for this

Jason Falciola falciola at ...130...
Thu Jun 12 10:42:38 EDT 2003


FYI - Les Gordon has done a very good writeup on Q and the issues 
surrounding NIDS signature development for it:

http://www.giac.org/practical/GCIA/Les_Gordon_GCIA.doc
http://isc.incidents.org/analysis.html?id=181

Jason Falciola
Information Security Analyst
IBM Managed Security Services
falciola at ...130...





Craig Baltes <craig at ...5...>
06/11/2003 05:08 PM
Please respond to craig

 
        To:     "Harris, Michael C." <HarrisMC at ...1375...>
        cc:     Intrusions <Intrusions at ...473...>, snort-sigs at lists.sourceforge.net
        Subject:        Re: [Snort-sigs] anyone have  more detail other than window size        of 
55808 to craft a snort rule for this



What they are describing here is basically a "rawIP" trojan and, as CERT
says, this is nothing new. It seems very similar to "Q". They are
calling this a "Third Generation Trojan Horse" but "Q" has been around
for at least 2 years. The mystery trojan that they describe in this
email is actually far less effective and stealthy than a fully
functional "Q" client/server set. "Q" has no common denominator in terms
of packet size or protocol. If this trojan is really limited by having
to be a TCP SYN with a window size of 55808, that really narrows the
window that IDS signature writers need to catch this traffic. If there
is any other common factor to the data then a signature should be
possible, where "Q" is impossible (As far as I can tell) to find via
signature based IDS. Here are some links to "Q" info:

http://lists.jammed.com/pen-test/2002/10/0027.html (My write up on "Q")
http://mixter.void.ru (Mixter is the author of "Q" and has lots of info
about rawIP programming)

-- 
Craig Baltes GCIA, CCSE
Senior Information Security Analyst
LURHQ corp. www.lurhq.com
craig at ...5...


On Wed, 2003-06-11 at 16:01, Harris, Michael C. wrote:
> anyone have more detail?
> other than window size of 55808, so we can create a snort rule?
> 
> 
--------------------------------------------------------------------------------------------------
> 
> from
> http://news.ists.dartmouth.edu/todaysnews.html , 
> 
> Title: Is a new Trojan horse at the firewall? 
> Source: Government Computer News
> Date Written: June 10, 2003
> Date Collected: June 11, 2003 
> Security experts claim to have discovered a yet-unnamed "third 
generation Trojan horse" program that appears to be infecting systems on 
the Internet. Chris Hovis, director of product marketing for Lancope Inc., 
said that the new Trojan was first identified in May 2003 by a security 
analyst for a Defense Department contractor, and that both the FBI and the 
CERT Coordination Center at Carnegie Mellon University had been notified 
of the threat. The new Trojan listens for specific types of packets that 
"are believed to contain encrypted instructions for communicating with 
controllers," but the purpose of the Trojan and the extent of the problem 
remain unclear. 
> http://www.gcn.com/vol1_no1/daily-updates/22371-1.html
> 
> Is a new Trojan horse at the firewall? 
> 
> By William Jackson 
> GCN Staff
> 
> IT security professionals have found evidence that a stealthy new Trojan 
horse is infecting networks. 
> 
> Traffic apparently generated by the as-yet-unnamed malware was first 
reported in May by a security analyst for a Defense Department contractor, 
said Chris Hovis, director of product marketing for Lancope Inc. of 
Atlanta. Lancope announced Monday it had confirmed the behavior of 
suspicious packets on its own honeynet and on the network of a large 
university. 
> 
> The TCP SYN packets are characterized by a window size in the packet 
header of 55808. No infected machines have been found, but the Trojan 
horse apparently listens for packets with this value, which Hovis said are 
believed to contain encrypted instructions for communicating with 
controllers. 
> 
> "Based on the activity that we have seen, which looks like probes from 
zombie hosts, there are likely infected machines that are looking for that 
identifier," Hovis said. 
> 
> Because the code of the Trojan horse itself apparently does not include 
communication instructions, they are difficult to detect with signature 
based antivirus software. Lancope has described it as a third generation 
Trojan horse and said the FBI and the CERT Coordination Center at Carnegie 
Mellon University had been notified. 
> 
> CERT would not comment on the report, but said there is nothing 
significantly different about the threat described by Lancope. 
> 
> "There is nothing there that hasn't been seen before," said Mary 
Lindner, CERT team leader for incident handling. "Every one of these is an 
event, but the barometer is not rising." 
> 
> Hovis said the Trojan's purpose is unclear, as is how widely it is 
distributed. At the current level of activity the suspicious packets could 
probe all IP addresses on the Internet every 27 hours. 
> 
> System administrators can use tools such as TCPdump, a program that 
monitors and filters TCP activity, to find out if machines on their 
networks are sources of the telltale probes. Systems can also be monitored 
for aberrant behavior, such as unusual amounts of traffic or new ports and 
services being opened. 
> 
> 
> -------------------------------------------------------
> This SF.NET email is sponsored by: eBay
> Great deals on office technology -- on eBay now! Click here:
> http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs










More information about the Snort-sigs mailing list