[Snort-sigs] New rule: SCAN 55808 Trojan scan

m.stiefenhofer at ...1632... m.stiefenhofer at ...1632...
Wed Jun 25 04:16:12 EDT 2003

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN 55808 Trojan 
scan"; flags: S; window:55808; classtype:attempted-recon; 
alert tcp any any -> !$HOME_NET any (msg:"SCAN outgoing 55808 Trojan 
scan"; flags: S; window:55808; classtype:attempted-recon; 

This Trojan can be described as distributed portscanner.

At the moment it is only known for collecting data about open ports. There 
is no other malicious behavior known.

Detailed Information:

[Excerpt from http://www.intrusec.com/55808.html]
This trojan aims to be a distributed port scanner whose presence is very 
difficult to detect. It port scans random addresses across the IP address 
space, with a random source address also spoofed. By spoofing the source 
address, the trojan is able to avoid easy detection, but it also means it 
can not receive the results of the TCP SYN that is sent. However, since 
the trojan also sniffs the network it is on in promiscuous mode, it is 
likely, over time, to pick up scans from other installations of trojans 
that randomly selected a source address that happened to be on its subnet. 
As the number of trojans installed across the Internet grows, more spoofed 
packets will be sent out by each trojan, and more of the spoofed source 
addresses will be captured by other trojans. 
Each time a reply to a trojan is seen, indicating an open port has been 
found, it is written to a file and saved. Daily, the trojan will then 
deliver the list of open ports it recorded while sniffing to a file and 
deliver that file to a predefined IP address.
In addition, a specially crafted packet can be sent to the subnet the 
trojan is listening on which contains in its sequence number the IP 
address the trojan should deliver the open port list to daily.  However, 
in the current incarnations of this trojan this functionality appears to 
be disabled.
Finally, the trojan contains a feature whereby if it fails to connect to 
the IP address it is supposed to deliver its open ports list to, it will 
automatically attempt to remove itself from the system.

Affected Systems:
The trojan was only observed on Linux systems to date.

Attack Scenarios:

The trojan is in a file named 'a' that resides in /tmp/.../a on the 
filesystem. Its packet collection activity monitors for any packet with a 
window size of 55808 and records all packets matching that window size. 
The packet capture is written to its current directory (/tmp/.../ 
typically) in a file named 'r'. 

Ease of Attack:

The trojan appears to be installed on a system either manually, or through 
an external exploit that is unrelated to the trojan itself. There is no 
exploit code or means to install itself on a host built-in to the trojan 
itself.  It is easy to identify that a system on your network has been 
infected with this or a related trojan due to its extremely noisy network 
activity it generates with TCP packets with a window size of 55808. 

False Positives:

Other legitimate services may intentionally or incidentally also send 
packets with this same window size, so do not solely rely upon the 
presence of such a packet as guaranteeing the existence of such a trojan. 
As the source address is spoofed, finding the infected machine in your 
network is rather difficult.
False Negatives:

Corrective Action:

Marek Stiefenhofer, ECOFIS GmbH <security at ...1632...>

Additional References:

More information about the Snort-sigs mailing list