.comment-link {margin-left:.6em;}
Free Web Hosting by Netfirms
 Web Hosting by Netfirms | Free Domain Names by Netfirms

June 27, 2003

Alert! Alert Stumbler attack gains momentum Strange IP code packets may reveal new virus Over the past few days, Internet monitors have detected some very strange IP traffic. Of really large (558 kB) packet sizes. It was initially thought that these packets were being generated by a Trojan or virus that had infected a group of computers and was attempting to "phone home." New findings indicate that these rogue packet are generated by a distributed stealth scanner code named Stumbler. And this isn't even not the original program; but a copycat! The Stumbler Trojan seems to target, and work with, Linux systems. But its likely that the original program was Windows-based. And could be a third-generation Trojan "proof of concept." It port scans random addresses across the entire IP address space. In a twist it includes random source addresses that are spoofed to ensure the scanner remains invisible. The downside of this extra-stealth approach means the scanner can't receive results of the TCP SYN it sent! However, as this Trojan sniffs the network it's currently based on while in promiscuous mode, it will over time be able to detect scans from other, similar Trojans that randomly select source address on its subnet. As the Trojans increase, so will the number of spoofed packets and source addresses. Stumbler indicates a methodical mind at work. Each reply indicating an open port detected is saved to file. The app forwards this open port listing to a predefined IP address (12.108.65.76 on Port 22). But only after its been running for 24 hours or more undetected. The Trojan also transmits a special packet to the subnet being scanned containing the sequence number of the delivery address. The Trojan appears to be located in the '../tmp/a sub-folder and saved packet captures are written to ../tmp/r. If Stumbler fails to connect to the delivery IP address, it deletes itself and all traces too from the scanned subnet. Quite diabolical, but this feature appears to have been disabled. Intentionally perhaps to avoid detection? If you are able to configure your Web server, I recommend to implement this TRONS rule to detect outbound connections from infected hosts:
alert tcp any any -> 12.108.65.76/32 22 (msg:"Stumbler Trojan";)
You can read more about Stumbler; including updated information here.
# posted by seeolfreeloader : 5:22 PM
Comments:

Post a Comment



Links to this post:

Create a Link



<< Home

This page is powered by Blogger. Isn't yours?