Security Researchers Uncover Mystery Malware

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,1132253,00.asp

By Dennis Fisher
June 19, 2003 

Security experts finally have a handle on mystery malware that was
generating loads of suspicious IP traffic over the last few weeks.

Researchers at Internet Security Systems Inc. say the culprit, which
was first thought to be a new breed of Trojan, is actually a
distributed network mapping tool that also acts as a listening agent.  
Dubbed Stumbler, the agent is not considered malicious right now
because it contains no payload, but it has the potential to generate
enough IP traffic to hamper network performance.

What has experts most concerned is the ease with which Stumber could
be reprogrammed to make it more damaging.

"We're really more interested in the next version because it could
easily become a worm," said Dan Ingevaldson, team lead on ISS' X-Force
research and development team in Atlanta, which tracked down the
Stumbler agent. "You should defnitely remove it if you find it. And
you should be concerned about how it got there because someone had to
put it there intentionally.

"It's not very advanced," Ingevaldson added. "The complexity and the
elegance of the network is what makes it good."

ISS officials said it's impossible to say how many machines have been
infected with Stumbler, though the amount of traffic being generated
by the agent, which scans random IP address and looks for other
versions itself, indicates at least several hundred infections.

The agent captured by ISS is in Linux binary, but researchers say it
could easily be ported to other platforms and likely will be.

News of the code capture comes as a relief to investigators from
several agencies, including the FBI and the Department of Homeland
Security, which were also tracking the rogue IP activity.

Stumbler first appeared around May 16 and began randomly scanning
Internet-connected machines. The scanning was slow at first but began
to pick up speed in recent days as more machines have become infected.  
ISS researchers were seeing nearly 3,000 scans an hour earlier this
week across the entire address space that the company monitors.

Stumbler scans random ports on random machines, each time sending an
initial SYN packet. One of the few identifiable characteristics of the
program is a window size of 55808 on each of the packets it transmits.  
It also spoofs the originating IP address on all of the packets,
making them look as if they're coming from machines in unallocated
name space. The window size led some to speculate that the malware was
related to the Randex IRC bot, but experts now say the TCP window size
is coincidental.

ISS said it was alerted to the existence of the mystery agent by an
employee at a defense contractor and later notified both the FBI and
the CERT Coordination Center.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.