Weird web data foxes experts
Dave,
If what mct suggests is true, this suggests more focused attacks, in which, instead of randomly scanning the entire IP address space, co-ordinated deployments focus on cross-scanning/spoofing specified sub-sets of the IP address space could be quite effective.
I could even imagine a mechanism wherein each system actually aggregates results from multiple scans, and then sends them along… and in which systems can actually update each other and distribute larger datasets by passing along the results of scans received from other systems, etc.
In fact, there is no end to the possibilities enabled by this type of “hiding in the open” technique… if you assume, from the very beginning, that source and destination addresses are completely random (or random within specific sub-sets of the IP address range), then these trojans could do anything a normal IP session would do - it is just like spam, who cares if only 1 out of 1,000,000 messages sent actually results in a connection… as long as enough of them do, it doesn’t matter. You could do distributed software updates, you could actually have infected systems create self-propagating databases (suitably encrypted and authenticated) of which systems are infected, and actually initiate non-random connections among all the noise (it would be very hard to identify them), etc. all completely uncontrolled (directly) from any central source.
I actually suggested this as a possibility, using Usenet as the distribution vehicle for information, five or six years ago in an exchange with Bruce Sterling.
Regards,
Thomas Leavitt
From: Dave Farber
Subject: more on Weird web data foxes experts
Date: Wed, 25 Jun 2003 15:18:06 -0400
—— Forwarded Message
From: M Taylor
Date: Wed, 25 Jun 2003 20:13:00 +0100
To: Dave Farber
Subject: Re: [IP] Weird web data foxes experts
> From: Bob
>
> Security experts are keeping an eye on strange packets of data that could
> herald new hack attacks.
…
This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans.
…
ISS’s X-Force — “Stumbler” Distributed Stealth Scanning Network
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22441
what I can make of it is that is appears to be based on concepts
discussed but not previously seen implemented, and it appears that
this may be a prototype release for a more effective and possibly
more malicious worm/trojan. I am not clear if this is self-propagating
or not, so I don’t know what exactly to call it. A lot of intrusion
analysts and firewall admins are seeing traffic from these scans. It
is also not clear now well it is working. I suspect that given past
track records of how long it has taken to clean up systems from
high impact attacks versus “low-impact” i.e. does not prevent day-to-
day business functions, it might be tolerated enough to gather
a large enough database from its scanning. -mct
—— End of Forwarded Message
