A new Trojan horse lurks at the gates
IT security professionals have found traces of a stealthy new Trojan horse that as yet has no name.
A security analyst for a Defense Department contractor detected it last month, said Chris Hovis, director of product marketing for Lancope Inc. of Atlanta. Lancope last week confirmed the behavior of suspicious TCP SYN packets on its own so-called honeynet and on a large university network.
The packets have a window size of 55808 in the header. The Trojan horse apparently listens for packets with this value, which Hovis said might contain encrypted instructions for communicating.
'Based on the activity we have seen, which looks like probes from zombie hosts, there are likely infected machines that are looking for that identifier,' Hovis said.
Signature-based antivirus software cannot detect the third-generation Trojan horse. Hovis said the FBI and the CERT Coordination Center at Carnegie Mellon University had been notified of it.
'There is nothing there that hasn't been seen before,' said Mary Lindner, CERT team leader for incident handling. 'Every one of these is an event, but the barometer is not rising.'
Hovis said no one yet knows how and how widely the Trojan horse is distributed or what its purpose is. At the current level of activity, he said, the suspicious packets could probe all IP addresses on the Internet every 27 hours.
Administrators can use tools such as TCPdump, which monitors and filters TCP activity, to learn whether their networks are sources of the telltale probing. They can also monitor for aberrant behavior, such as unusual traffic volumes or new ports and services being opened.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.