Re: sdbot variant and port 55808 activity

["Michael H. Warfield" <mhw () wittsend com>]

On Wed, Jun 18, 2003 at 10:45:08AM -0400, Joe Stewart wrote:
> While researching an IRC zombie infection for a third party, I came across
> a variant of sdbot which is hard-coded to send TCP packets with a window
> size of 55808 in its spoofed-synflooding function. Could this be the
> "next-gen" trojan that Lancope found? If so, it redefines the term next-gen,
> because sdbot is pretty much old-school.

> The particular variant I found is _not_ the well known "sdbot SYN edition" 
> by Tesla. The packet construction subroutine is entirely different. Based on
> what I have seen here and in the firewall logs from as far back as January, 
> I feel that  there is a snippet of C being re-used in the underground and it
> uses a default window size of 55808. I've seen it used in broadscanning, 
> and now as a synflooder.

> Here is an example command used in the IRC control channel to start a 
> synflood with this version of sdbot. 192.168.1.21 is the address to be
> spoofed while attacking 192.168.1.1:

> $syn 192.168.1.1 6000 20 192.168.1.21 6666

> Here is a capture of some of the resulting packets:

> 07:26:51.048897 192.168.1.21.6666 > 192.168.1.1.6000: S 693933104:693933104(0) 
> win 55808
> 0x0000   4500 0028 0a34 0000 8006 ad35 c0a8 0115        E..(.4.....5....
> 0x0010   c0a8 0101 1a0a 1770 295c 9430 0000 0000        .......p)\.0....
> 0x0020   5002 da00 6374 0000 0000 0000 0000             P...ct........

        This doesn't quite match what I've been seeing...

        Here's one of mine:

07:10:20.832981 144.254.30.156.49400 > 130.205.229.41.36591: S 3516334854:3516334854(0) win 55808 <mss 1460,nop,wscale 
2,nop,nop,sackOK>
0x0000   4500 0034 d38a 0000 6f06 60a8 90fe 1e9c        E..4....o.`.....
0x0010   82cd e529 c0f8 8eef d197 0306 0000 0000        ...)............
0x0020   8002 da00 58fe 0000 0204 05b4 0103 0302        ....X...........
0x0030   0101 0402                                      ....

        Note the additional TCP options, "wscale 2" and "sackOK".  They
seem to be characteristic of this critter.  Most of the time, I see
the mss 1460 option but I've seen that vary from time to time.

> 07:26:51.049000 192.168.1.21.6666 > 192.168.1.1.6000: S 
> 3950185482:3950185482(0) win 55808
> 0x0000   4500 0028 0a35 0000 8006 ad34 c0a8 0115        E..(.5.....4....
> 0x0010   c0a8 0101 1a0a 1770 eb73 0c0a 0000 0000        .......p.s......
> 0x0020   5002 da00 2983 0000 0000 0000 0000             P...).........
>
> 07:26:51.049096 192.168.1.21.6666 > 192.168.1.1.6000: S 
> 2692113931:2692113931(0) win 55808
> 0x0000   4500 0028 0a36 0000 8006 ad33 c0a8 0115        E..(.6.....3....
> 0x0010   c0a8 0101 1a0a 1770 a076 660b 0000 0000        .......p.vf.....
> 0x0020   5002 da00 1a7f 0000 0000 0000 0000             P.............

        Your's are consistent with each other and mine (thousands per
hour at this time) are consistent with mine.  But there not consistent
between the two sets.

> I have passed the binaries I have found along to the AV community, so 
> anti-virus signatures at least for the variants I have found should be
> forthcoming. 

        I'd like to get a copy of that binary as well.

> Of course, this still doesn't explain the weird source and destination 
> IP addresses and ports we are seeing since last month, but based on
> this I seriously doubt it is a covert channel. Maybe someone is just 
> testing a new implementation of the synscanning code in a distributed 
> manner, and has some bugs to work out.

> -Joe

> -- 
> Joe Stewart, GCIH 
> Senior Intrusion Analyst
> LURHQ Corporation
> http://www.lurhq.com/


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Attachment: _bin
Description: