New Trojan

Red Squirrel · Post by **Red Squirrel** » Fri Jun 20, 2003 10:45 pm

http://www.eweek.com/article2/0,3959,1130754,00.asp

A new Trojan that has been making its way around the Internet in recent weeks continues to baffle security experts, who have been unable to get a good handle on its behavior.

The Trojan apparently made its first appearance around May 16 and began randomly scanning Internet-connected machines. The scanning was slow at first but has begun to pick up speed in recent days as more machines have become infected. Researchers at Internet Security Systems Inc. in Atlanta have been seeing nearly 3,000 scans an hour on Tuesday across the entire address space that the company monitors.

The Trojan scans random ports on random machines, each time sending an initial SYN packet. One of the few identifiable characteristics of the program is a window size of 55808 on each of the packets it transmits. It also spoofs the originating IP address on all of the packets, making them look as if they're coming from machines in unallocated name space.

ISS has been tracking the Trojan for about a month and has yet to find a copy of its code or successfully trace it back to an infected machine. Other security vendors and officials at the Department of Homeland Security are also tracking the Trojan, all without any luck so far.

"We still don't have a good idea where it's going or if it's communicating with anyone," said Pete Allor, manager of X-Force Threat Intelligence Services at ISS. "I don't want to say I'm close, but I'm closer than I was yesterday."

Researchers have been frustrated by the Trojan's random behavior, which has helped it elude capture. One of the few nuggets of information that experts have at this point is that a portion of the hex code in the packets the Trojan sends contains the term "day 0." In security circles, the phrase "zero day" is often used to describe attacks on vulnerabilities that have just been discovered.

Despite the problems tracking the Trojan so far, Allor believes it's only a matter of time before someone gets a handle on it. When he does find it, Allor is eager to peek into the Trojan's code and see what makes it tick.

"This is a new one. It piqued our curiosity really quick," he said.

Archived topic from Iceteks, old topic ID:934, old post ID:8115

Chris Vogel · Post by **Chris Vogel** » Fri Jun 20, 2003 11:01 pm

HA HA HA HA! You said trojan........

Anyway, this is interesting.

ISS has been tracking the Trojan for about a month and has yet to find a copy of its code or successfully trace it back to an infected machine. Other security vendors and officials at the Department of Homeland Security are also tracking the Trojan, all without any luck so far.

Archived topic from Iceteks, old topic ID:934, old post ID:8118

Red Squirrel · Post by **Red Squirrel** » Fri Jun 20, 2003 11:03 pm

Yep, quite scarry!

Gee, trojans.

big ones, small ones, flavored ones, glow in the dark ones.... I mean, TCP ones, UDP ones...

Archived topic from Iceteks, old topic ID:934, old post ID:8120

jryan · Post by **jryan** » Fri Jun 20, 2003 11:59 pm

I really wish they'd give the viruses, especially the Trojan Horse viruses, names when they first come out. It's almost as if it's a dirty word, always "The Trojan" never "Your Trojan"...

Archived topic from Iceteks, old topic ID:934, old post ID:8128

Red Squirrel · Post by **Red Squirrel** » Sat Jun 21, 2003 12:12 am

Yeah, it's funny. Both type of trojans can do damage, so it's hard to tell which one they are talking about when any tradegy is mentioned.

Archived topic from Iceteks, old topic ID:934, old post ID:8133

wldkos · Post by **wldkos** » Tue Jun 24, 2003 7:40 pm

seems like someone is a good programmer

Archived topic from Iceteks, old topic ID:934, old post ID:8415