A new Trojan horse lurks at the gates

IT security professionals have found traces of a stealthy new Trojan horse that as yet has no name.

A security analyst for a Defense Department contractor detected it last month, said Chris Hovis, director of product marketing for Lancope Inc. of Atlanta. Lancope last week confirmed the behavior of suspicious TCP SYN packets on its own so-called honeynet and on a large university network.

The packets have a window size of 55808 in the header. The Trojan horse apparently listens for packets with this value, which Hovis said might contain encrypted instructions for communicating.

'Based on the activity we have seen, which looks like probes from zombie hosts, there are likely infected machines that are looking for that identifier,' Hovis said.

Signature-based antivirus software cannot detect the third-generation Trojan horse. Hovis said the FBI and the CERT Coordination Center at Carnegie Mellon University had been notified of it.

'There is nothing there that hasn't been seen before,' said Mary Lindner, CERT team leader for incident handling. 'Every one of these is an event, but the barometer is not rising.'

Hovis said no one yet knows how and how widely the Trojan horse is distributed or what its purpose is. At the current level of activity, he said, the suspicious packets could probe all IP addresses on the Internet every 27 hours.

Administrators can use tools such as TCPdump, which monitors and filters TCP activity, to learn whether their networks are sources of the telltale probing. They can also monitor for aberrant behavior, such as unusual traffic volumes or new ports and services being opened.

About the Author

William Jackson is a Maryland-based freelance writer.


  • automated processes (Nikolay Klimenko/Shutterstock.com)

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected