Scan of the Month #21 - June 2002 Analysis by Nikolay Sturm ------------------------------------ Hi! 1) What is the attacker attempting to achieve? The attacker tries to activate a backdoor, installed by the Remote Shell Trojan RST.b 2) How does UDP work to achieve this purpose? The trojan listens for UDP packets containing the ASCII string DOM in promiscous mode, thus a UDP packet to any port and any IP will activate the backdoor. 3) Why is the attacker using random src and dst UDP ports and random IP addresses? He uses random IP addresses to hide himself, one can only guess the network he is in (213.68.213/24). He uses random src UDP ports because this is the normal way to send packets. He uses random dst UDP ports, because it doesn't matter to the trojan (see 2) and obscures the meaning of the packets. 4) Are all the packets originating from the same machine or different ones? As the packets are all sent in less than 0.1 seconds, it is most probable that all packets are sent from one machine. 5) How can the attacker view the responses to his probes? - sniff in promiscous mode the 213.68.213/24 network + using a special sniffer to circumvent switches + he sits in one ethernet segment with those hosts whose IPs he uses as src IPs - sit on a host that sees all traffic from the dst hosts to the src hosts and sniff the traffic 6) Can the attacker fingerprint the OS of the victim systems? Depends on the firewall. :-) At least the attacker knows, this is a linux system and with the ability to start any shell command, he can surely identify the system by issuing "uname -a" as a command to the trojan. bye, Nikolay