- Sep 25, 2000
- 22,135
- 5
- 61
http://www.sarc.com/avcenter/venc/data/trojan.linux.typot.html
http://www.internetweek.com/story/showArticle.jhtml?articleID=10700746
http://www.informationweek.com/story/showArticle.jhtml?articleID=10700645
Dan Ingevaldson, team leader for Internet Security Systems' X-Force R&D unit, says researchers are studying the Trojan--currently dubbed 55808 for its Windows size--which has been causing confusion for about a month in security circles.
One thing is clear: Trojan 55808 is sneakier than previous Trojan horses. It doesn't self-propagate, like a virus or a worm, and requires the attacker to plant it on systems. But it does transmit a lot of network noise designed to throw off cybersleuths attempting to find the IP addresses of infected systems, as well as the address of the Trojan's writer or controller.
"For each machine that is infected, it will throw off 1,000 fake or spoofed IP addresses," Ingevaldson says.
The mysterious trojan horse that's been making security experts scratch their heads now has a name as more details of the oddball malware were made available.
As reported earlier, Stumbler embeds itself in Unix systems and seems to be part of a concerted effort to map Internet-connected networks using port scanning techniques. A copy of the trojan was finally captured Wednesday, and investigation of its code began Thursday.
Unsure as of yet how to describe Stumbler -- trojan, backdoor, zombie, or worm -- Intrasec called for additional analysis, and warned that although this variation is benign, modified versions could, in fact, prove malicious.
Symantec Has officially named the trojan: Trojan.Linux.Typot
Trojan.Linux.Typot is a trojan horse affecting Linux systems. It generates TCP packets with a window size of 55808.
Every second, Trojan.Linux.Typot sends a spoofed TCP packet on the network. The source and destination IP addresses of the packet are picked randomly. The packet has some fixed characteristics, including the TCP window size, which is set to 55808.
http://www.internetweek.com/story/showArticle.jhtml?articleID=10700746
http://www.informationweek.com/story/showArticle.jhtml?articleID=10700645
Dan Ingevaldson, team leader for Internet Security Systems' X-Force R&D unit, says researchers are studying the Trojan--currently dubbed 55808 for its Windows size--which has been causing confusion for about a month in security circles.
One thing is clear: Trojan 55808 is sneakier than previous Trojan horses. It doesn't self-propagate, like a virus or a worm, and requires the attacker to plant it on systems. But it does transmit a lot of network noise designed to throw off cybersleuths attempting to find the IP addresses of infected systems, as well as the address of the Trojan's writer or controller.
"For each machine that is infected, it will throw off 1,000 fake or spoofed IP addresses," Ingevaldson says.
The mysterious trojan horse that's been making security experts scratch their heads now has a name as more details of the oddball malware were made available.
As reported earlier, Stumbler embeds itself in Unix systems and seems to be part of a concerted effort to map Internet-connected networks using port scanning techniques. A copy of the trojan was finally captured Wednesday, and investigation of its code began Thursday.
Unsure as of yet how to describe Stumbler -- trojan, backdoor, zombie, or worm -- Intrasec called for additional analysis, and warned that although this variation is benign, modified versions could, in fact, prove malicious.
Symantec Has officially named the trojan: Trojan.Linux.Typot
Trojan.Linux.Typot is a trojan horse affecting Linux systems. It generates TCP packets with a window size of 55808.
Every second, Trojan.Linux.Typot sends a spoofed TCP packet on the network. The source and destination IP addresses of the packet are picked randomly. The packet has some fixed characteristics, including the TCP window size, which is set to 55808.
Facebook
Twitter