The Lookout: New Breed of Trojan

July 30, 2003
By: Dennis Fisher

Security researchers believe they have identified a new breed of Trojan horse that is infecting machines on the Internet, possibly in preparation for a larger coordinated attack. Experts have been unable to pin down many of the details of the program's behavior, however, and they are unsure how many machines might be compromised.

The program scans random IP addresses and sends a probe in the form of a TCP SYN request with a window size that is always 55,808 bytes. Infected hosts listen promiscuously for packets with certain identifying characteristics, including that specific window size. Experts believe that other fields within the packet's header probably give the infected host information about the IP address and contact port of the controlling host.

The Trojan is also capable of spoofing the source IP addresses for the packets it sends, making the process of tracking infected hosts much more difficult for researchers. The program can apparently scan about 90 percent of the IP addresses on the Internet in 24 hours, according to officials at Lancope, an Atlanta-based security vendor. Lancope notified both the FBI and the CERT Coordination Center.

Unlike typical Trojans, the new program does not have a controller e-mail address written into the source code.

http://security.ziffdavis.com/print_article/0,4281,a=45556,00.asp