Sunday, June 22, 2003

Odd traffic?

Concerning the unnamed trojan that's causing an increase in traffic on the Internet:

Various providers have seen a marked increase in the "noise" content of traffic through their outer routers. All of it is high-port to high-port, usually greater than port 10000 on both ends. When I first read an article about it, a week ago, I thought it was just marketing fluff. Now, after seeing it discussed on various security mailing lists and a number of articles having been written about it, I decided to do a bit of research.

Here's what's known about it so far:

  • It was first noticed on or around 16 May.
  • It sends out SYN packets with a total size of 55808. Note that this has nothing to do with the actual packet size though which usually amounts to something much less.
  • The source addresses are spoofed.
  • It has been said the packets contain the phrase "day 0" which alludes to possibly being a "zero day" exploit. Others have said that this "total bull."
  • No one has been able to prove that this is a worm, a trojan, a control signal for some other binary, etc.
  • It's not a SYN flood. That would require the target to be the same. These appear to be random and generating an excessive amount of traffic.
  • Some of the traffic may be from copycat malware (see source #3 below).


If it is a worm, it has the possibility of being nasty. Given that it is spoofing source addresses, it's designed not to care if the packets return. However, it sniffs for the ACK packets generated by return traffic from targets "scanned" by other infected systems. I'm making the "nasty" comment in that this worm had to have had an initial critical mass before it was able generate this noticible level of traffic. Either this is a second stage infection or someone compromised a LOT of systems to get this infection off of the ground.

Alternately, this may be a proof-of-concept distributed network scanner. While being mostly innocuous at this point, it foretells of some dark times for information security types.

Recommended precautions:

  • Ensure your firewalls are configured properly. They should only pass that which you explicitly allow. This will prevent any high-port to high-port traffic from passing through your firewalls.
  • Ensure ingress/egress filtering is properly configured on your premise routers. This will block traffic with spoofed source addresses.


  • If anyone is able to set up a packet capture for this traffic, please forward to myself (Hint: tcpdump tcp[14:2]=55808 ) (credit to Mark Swaar) (add the appropriate switches to save the entire packets)
    Update: no longer needed. The filter does work. The packets are empty SYN packets with large windows.
  • If anyone is able to capture the offending binary, please forward to myself.


1) Title: Trojan Picks Up Steam, Baffles Experts

2) Title: New Breed of Trojan

3) Title: Intrusec Alert: 55808 Trojan Analysis

4) Title: Meet Stumbler: Next Gen port scanning malware

5) Title: Mysterious Net traffic spurs code hunt

No comments:

Post a Comment