Posted on 06/20/2003 11:28:19 PM PDT by FairOpinion
The mysterious trojan horse that's been making security experts scratch their heads now has a name as more details of the oddball malware were made available.
The trojan horse that has been causing confusion and concern among security researchers for over a month now has been dubbed 'Stumbler' by experts at Internet Security Systems (ISS).
As reported earlier, Stumbler embeds itself in Unix systems and seems to be part of a concerted effort to map Internet-connected networks using port scanning techniques. A copy of the trojan was finally captured Wednesday, and investigation of its code began Thursday.
After additional analysis, researchers at the security firm Intrasec tentatively concluded late Thursday that the captured sample is a copycat of the real trojan, created to mimic the behavior of another trojan or worm. In fact, said Intrasec, Stumbler seems to be based on a variety of media reports that have described the malware's hypothetical behavior and output.
Unsure as of yet how to describe Stumbler -- trojan, backdoor, zombie, or worm -- Intrasec called for additional analysis, and warned that although this variation is benign, modified versions could, in fact, prove malicious.
http://www.informationweek.com/story/showArticle.jhtml?articleID=10700645
Security Researchers Feverishly Track New Trojan June 19, 2003
The threat throws off lots of noise and seems to be mapping the Internet. By George V. Hulme
There's a new security threat out on the Internet, but it's not clear how much of a threat it really is. Security researchers at Internet Security Systems say they've captured the code for a sneaky new Trojan application that has installed itself on an unknown number of Internet-connected servers and is attempting to scan and map networks connected to the Internet and send that information back to its controller. Dan Ingevaldson, team leader for Internet Security Systems' X-Force R&D unit, says researchers are studying the Trojan--currently dubbed 55808 for its Windows size--which has been causing confusion for about a month in security circles. Security experts managed to capture their first copy of the Trojan on Wednesday, and they're still working to determine exactly what the Trojan is trying to accomplish.
One thing is clear: Trojan 55808 is sneakier than previous Trojan horses. It doesn't self-propagate, like a virus or a worm, and requires the attacker to plant it on systems. But it does transmit a lot of network noise designed to throw off cybersleuths attempting to find the IP addresses of infected systems, as well as the address of the Trojan's writer or controller.
"For each machine that is infected, it will throw off 1,000 fake or spoofed IP addresses," Ingevaldson says.
Furthermore, the Trojan is part of a distributed network that security researchers have yet to completely understand. "All of these Trojan agents, or zombies, are working together," Ingevaldson says, "though there isn't a direct communication channel. Someone is trying to map Internet-connected networks."
The Trojan currently attacks Linux-based systems, Ingevaldson says, but it could easily be ported to other operating-system platforms. Many businesses use Linux as the operating system for their Web servers.
So far, it hasn't been possible to determine the number of infected systems, says Ingevaldson, who adds that the Trojan could be an experiment. Says Ingevaldson, "It seems to be a platform to technically see if this widespread network mapping can be done."
And a couple of other earlier threads & articles at FR:
http://www.freerepublic.com/focus/f-news/932918/posts
http://www.freerepublic.com/focus/f-news/930838/posts
Fact is, with MS Windows and other MS Operating Systems comprising 85%* of the market, naturally, 85% of the virus proggies are going to be aimed at that system.
Other OS's, get their "fair share" of virus according to their use within the PC /Server community.
* 85% is just a guess, not an accurate one, probably. ;o)
I dunno about that. aftr, is your unix system networked with the widows system that's on the internet or sharing an internet connection with it?
If so, than I would say that it is possible.
No, the two operating systems are just being transmitted through the same CAT5 cable and are viewed on the same monitors. They operate independently. IOW, I cannot send emails from the Unix program to be viewed on the Windows OS and vice versa. Windows connections to the Internet (and Intranet) cannot be accessed throught the Unix program.
No Nick, Bush2K and I don't work together (LMAO), and I'm certainly no Junior Munchkin (LMAOx2).
It is a shame that lawyers have to get involved, a damn shame. But that's what happens when somebody steals something worth billions of dollars. And that IS what we're talking about. And hard as it is for some of you to see, this whole case, AND my my personal opinion on it, have nothing to do with M$.
It's an important case for our country, as these foreign programmers that have already duped IBM will continue to pilage our IP and turn our engineering accomplishments into their public property.
The very day M$ is accused of such is the very day I will hammer them just as hard.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.