By Dennis Fisher
June 13, 2003

Security researchers believe they have identified a new breed of Trojan horse that is infecting machines on the Internet, possibly in preparation for a larger coordinated attack.

However, experts have been unable to pin down many of the details of the program's behavior and are unsure how many machines might be compromised by the Trojan. The program scans random IP addresses and sends a probe in the form of a TCP SYN request with a window size that is always 55808. Infected hosts listen promiscuously for packets with certain identifying characteristics, including that specific window size. Experts believe that other fields within the packet's header probably give the infected host information on the IP address of the controlling host and what port to contact the host on.

The Trojan is also capable of spoofing the source IP addresses for the packets it sends, making it much more difficult for researchers to track infected hosts. The program appears to scan IP addresses at a rate that enables it to scan about 90 percent of the IP addresses on the Internet in 24 hours, according to officials at Lancope Inc., an Atlanta-based security vendor. The company has seen the new Trojan on its own honeynet and has also observed it on the network at a university.

The company said it was alerted to the existence of the Trojan by an employee at a defense contractor and later notified both the FBI and the CERT Coordination Center. A spokesman for the FBI confirmed that the bureau was aware of the issue, but said there was little it could do unless there's an incident.

"Until something happens, the FBI is on the sidelines on this one," said Bill Murray, spokesman for the FBI in Washington. "There's not really anything to investigate."

Unlike typical Trojans, the new program does not have a controller e-mail address written into the source code.

Source: eWeek