20-06-2003, 19:55 #1
Intrusec Alert: 55808 Trojan Analysis
Latest Update: 6/19/03 11:13PM EDT
- Corrected analysis regarding use of sequence numbers to change IP address.
- Added reference to alternate name "Stumbler" given to trojan by Internet Security Systems subsequent to the release of Intrusec´s analysis.
Intrusec has completed an initial analysis of a trojan that appears to be one of several that is responsible for generating substantial scanning traffic across the Internet with a TCP window size of 55808. The trojan we have isolated appears to match many of the characteristics that others in the security community have reported for this trojan. However, we do not believe that the specific trojan we have identified is the sole source of the traffic generated, and do not know that it is a primary source.
The information we´ve been able to gather leads us to believe that the trojan we have captured is not the original source of the 55808 traffic that has been seen, but is rather a "copycat", created to mimic the behavior of another trojan or worm. The behavior of this copycat appears to be based on press releases, news articles, and mailing lists that described its hypothetical behavior and known output. Nonetheless, this copycat trojan appears to be actively deployed on systems across the Internet and is something security professionals should be aware of.
Details contained in this analysis will be updated, and linked to linked to numerous analyses that will be done by other security researchers, as they become available. Please visit and link to http://www.intrusec.com/55808.html to receive the latest information available regarding this trojan. There is apt to be great discussion about the nature of this "trojan" and whether in fact it is accurately characterized as a trojan, backdoor, zombie, or worm. While the specific binaries we have captured are probably described as a trojan or zombie, there is no assurance that other variants of this trojan may not be far more malicious in nature and contain worm or backdoor functionality. We are referring to the trojan we have captured, and the presumed other existing trojans generating similar traffic as "55808 Trojans," and the specific binary we have analyzed as "55808 Trojan - Variant A." All discussion in our analysis section refers specifically to the ´A´ variant we have captured. Internet Security Systems subsequent to the release of this alert dubbed this "Stumbler", and refers to this same trojan by that name.
This trojan aims to be a distributed port scanner whose presence is very difficult to detect. It port scans random addresses across the IP address space, with a random source address also spoofed. By spoofing the source address, the trojan is able to avoid easy detection, but it also means it can not receive the results of the TCP SYN that is sent. However, since the trojan also sniffs the network it is on in promiscuous mode, it is likely, over time, to pick up scans from other installations of trojans that randomly selected a source address that happened to be on its subnet. As the number of trojans installed across the Internet grows, more spoofed packets will be sent out by each trojan, and more of the spoofed source addresses will be captured by other trojans.
Each time a reply to a trojan is seen, indicating an open port has been found, it is written to a file and saved. Daily, the trojan will then deliver the list of open ports it recorded while sniffing to a file and deliver that file to a predefined IP address.
In addition, a specially crafted packet can be sent to the subnet the trojan is listening on which contains in its sequence number the IP address the trojan should deliver the open port list to daily. However, in the current incarnations of this trojan this functionality appears to be disabled.
Finally, the trojan contains a feature whereby if it fails to connect to the IP address it is supposed to deliver its open ports list to, it will automatically attempt to remove itself from the system.
The trojan we have identified has been a file named ´a´ that resides in /tmp/.../a on the filesystem. Its packet collection activity monitors for any packet with a window size of 55808 and records all packets matching that window size. The packet capture is written to its current directory (/tmp/.../ typically) in a file named ´r´.
There is a default IP address of 18.104.22.168 that the trojan attempts to make a standard connection (not spoofed) to on TCP port 22 and deliver the packet capture after it has been running for 24 hours, however this appears to have been randomly selected as it is not an active system on the Internet, and it is potentially dynamically modifiable by a packet that can be sent to the trojan.
The trojan appears to contain some functionality to change the IP address it delivers its packet captures to, but this functionality is not operational in the trojan we have obtained. It appears the stubbed out code, if activated, would function as follows: If a packet is captured that contains a window size of 55808 and a TCP option window scale of 2, the trojan modifies the IP address packet captures are delivered to based on the sequence number of that packet.
While a novel concept, this trojan seems largely to have been written as a proof of concept relative to the ideas Lancope described as a ´3rd generation trojan.´ Other than generating large amounts of network traffic, it contains no self-replicating or malicious behavior, and a few high-speed port scans from compromised host would be a far more effective and efficient means to map open ports on the Internet than this type of trojan.
We have only observed the trojan on Linux systems to date. However, the program itself is quite portable to other unix variants, so it is possible if not likely that it may also exist on other unix distributions. It is also possible that the ´original´ trojan is Windows-based.
The trojan appears to be installed on a system either manually, or through an external exploit that is unrelated to the trojan itself. There is no exploit code or means to install itself on a host built-in to the trojan itself. It is easy to identify that a system on your network has been infected with this or a related trojan due to its extremely noisy network activity it generates with TCP packets with a window size of 55808. However, other legitimate services may intentionally or incidentally also send packets with this same window size, so do not solely rely upon the presence of such a packet as guaranteeing the existence of such a trojan.
Security vendors who claim that identifying massive quantities of port scanning originating from their network as a unique feature of their software should be taken with a grain of salt. It is more difficult to identify the specific system on your network that has been infected with this trojan due to its spoofing activities other than for its daily non-spoofed connection to remote port 22. Tools that can assist you in locating the actual physical source of these spoofed packets (through looking at MAC addresses and ARPs) may be quite useful. There is apt to be a great deal of discussion in the general techniques that can be used to locate it, a good starting resource for this is "Tracking Down the Phantom Host" by John Payton available at http://www.securityfocus.com/infocus/1705.
For Exposé Users:
Users of Exposé that take advantage of its SSH authenticated differential signatures can detect new default installations of this trojan on their systems by creating a custom SSH differential signature that looks for the appearance of a /tmp/.../ directory on systems being monitored. See the Exposé help for more information on using SSH authentication.
From the main user interface, select ´Configure App Layer Differentials´ from the Tools menu, click ´Add´ under the checks box, and then enter a new check with the following settings:
Name: 55808 Trojan
Type: SSH, Simple
Challenge Text: echo check;ls /tmp/.../
Port Range: 22
If that file appears on the filesystem of any of the hosts being monitored by Exposé and SSH authentication configured, an alert will be created. Note this is only useful for default installations of the trojan.
The best way to prevent intrusions is to find and eliminate vulnerabilities before they can be exploited. Intrusec has been built on the belief that continuous network change detection is a core technology that will assist administrators in managing the security of their networks and should be a part of any comprehensive security framework. Utilizing Intrusec´s product, along with those from other commercial and free sources, can assist in limiting the breadth and time your network may be exposed to the type of vulnerabilities being exploited to install malicious software such as the 55808 Trojan.
Intrusec, Inc. was founded in January 2002 to build a new kind of security software that provides continuous detection of changes occurring on a network. Intrusec´s first product, Exposé, brings this technology vision to fruition. Using Intrusec´s unique Differential Detection Technology, Exposé can detect changes on a network at all of the IP, application, and web services layers of today´s modern networks and works with existing vulnerability assessment products to help administrators identify specific vulnerabilities. Exposé is currently in beta testing and is available for download now.
This document is not to be edited or altered in any way without the express written consent of Intrusec, Inc.. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws.
Use of this information constitutes acceptance for use in an as is condition. There are no warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user´s risk. In no event shall Intrusec be held liable for any damages arising in connection with the use of this information.