Repost of query about 55808 trojan

From: Golden Faron P Contr HQ SSG/SWSN <Faron.Golden(at)Gunter.AF.mil>
Date: Fri Jul 11 2003 - 09:51:23 EDT

Original post request:

        Sent: Wednesday, July 09, 2003 3:39 PM
To: incidents@securityfocus.com
Subject: Code for 55808 Trojan

Anyone have an actual copy of the "55808 trojan"?

The reasons I ask are : From what I read at LURHQ and Intrusec as well as information from Lancope, there may have been (were?) at least two different pieces of code associated with the 55808 Odd Syn Packets. These packets are continuing and we have observed a slight, irregular increase in volume (about a month ago we were seeing 500-600 packets in a 10 minute period, three weeks ago 800-900 packets in a ten minute window, and currently 1000-1100 packets in a ten minute window). We are also now observing an increasing number of RST packets directed at our network space which shows that some of our network space is now being spoofed in packets directed at worldwide targets/victims. This data seems to suggest that the activity is not going away but is increasing and persistent.

I am not asking to receive the code as I really do not have time to dedicate to analysis and that has obviously already been done by competent parties. What I am asking is if anyone has captured some source for one or both of these critters and are we developing any effective countermeasures?

Thanks in advance,
Faron

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Fri Jul 11 14:52:23 2003