File: 2182.txt

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (71 lines) | stat: -rw-r--r-- 2,173 bytes parent folder | download | duplicates (8)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Rule:

--
Sid:
2182

--
Summary:
This event is generated when activity generated by the Linux Trojan Typot is detected.

--
Impact:
Increased network traffic leading to bandwidth consumption.

--
Detailed Information:
Current information based on binary analysis of the Typot Trojan shows that network traffic is generated with a TCP window size of 55808 bytes. Whilst this Trojan does not appear to contain any malicious payload it will generate spurious network scanning activity. The source IP address for the scanning activity is spoofed.

When a host becomes infected a file named "r" is created in the same directory the binary was executed from. The Trojan then begins generating network traffic as described above. An infected victim host may have a file named "a" in the /tmp directory. After an unspecified time period the Trojan itself may attempt to connect to an external IP address using Secure Shell (ssh) for communication. If this communication is succesful, the "a" file may be deleted.

The Trojan may also use the libpcap and libnet libraries to generate network traffic.

--
Affected Systems:
Linux

--
Attack Scenarios:
An attacker may have installed the Trojan after a previous system compromise.

--
Ease of Attack:
Simple.  

--
False Positives:
Any application that generates a TCP SYN packet with a window size of 55808 bytes will generate this event. Currently it is not known which, if any, commonly deployed applications generate these specific packets.

It is also possible to recreate this particular traffic using network packet generating tools such as hping.

--
False Negatives:
None Known.

--
Corrective Action:
Investigate the affected host for signs of system compromise.

Delete the files "r" and "a" if found.

--
Contributors:
Sourcefire Research Team
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Matt Watchinski <mwatchinski@sourcefire.com>

--
Additional References:

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/trojan.linux.typot.html

e-week
http://www.eweek.com/article2/0,3959,1130759,00.asp

Intrusec
http://www.intrusec.com/55808.html

--