Published: 2003-06-23

Additional notes on Stumbler.

this is an addition to yesterdays diary:


To detect these packets with Snort, Brian Coyle has provided a Snort rule:

alert tcp any any -> any any (msg:"WATCHLIST - 20030613-window size 0xDA00";

flags: S; window: 55808; classtype:bad-unknown; sid:9999999; rev:2;



To capture the packets, tcpdump can be used:

tcpdump -i eth0 -np -s 1500 -w /root/tcp-5508 'tcp[14:2] = 55808'

Adjust "eth0" to be your primary network device.

Here are some additional links to Stumbler articles and pages:











Published: 2003-06-22

Window Size 55808 packets

For a month now, systems world wide are detecting an increase of packets
which have the TCP option "Window Size" set to 55808 bytes. The source IP
appears to be spoofed on all packets.

As part of a TCP connection, the receiver can advertise a "window size". The
sender will not wait for an 'ACK' until the window size is reached. As a
result, larger chunks of data can be transfered faster.

The larger the available bandwidth, or the larger the latency, the larger the
window size one should chose. The largest possible window size is 65535 bytes.
A window size as large as 58808 bytes is only useful on a very high bandwidth,
or a high latency connection [1].

So far, it is not clear what purpose these packets have. A tool was found which
appears to send packets with a window size of 58808 bytes[2] . Its intent
appears to be distributed scanning. The idea is to send packets with random
source IPs to random hosts. The replies (if any) would be detected by another
host infected with identical malware. The detector would identify the packet
by its odd window size.

However, if this is the intent of the code, it is not performing this function
very well. We found that a particular target is only hit at a given single port.
The distribution of target ports does not show a bias to frequently used ports.

The data available to the Internet Storm Center does usually not include TCP
options. However, some submitters sent more details. About 3% of the data
submitted with with window size information had a window size of 58808 bytes.

The number of packets increases exponentially, indicating some kind of
propagation mechanism.

Graph #1: Number of packets intercepted each day


The TTL distribution implies an initial TTL of 128, which is typical for
Windows systems. The code analyzed by Intrusec was captured on a Linux system.
But default TTLs are easily adjusted and the analysis points out that the code
could be ported to Windows.

Graph #2: TTL distribution


Graph #3: Number of target IPs and presumable spoofed source IPs per day


[1] W. Richard Stevens, TCP/IP Illustrated, pages 282ff

[2] http://www.intrusec.com/55808.html
[3] http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22441


Published: 2003-06-04

port 901 surge


Our incident handler team observed an increase in localized scans for port 901 over the last few days ( http://isc.sans.org/port_details.html?port=901&;;tarax=1 ).
Port 901 is commonly used by 'swat', a tool to administer SAMBA. However,
we found that these scans can be attributed to a new 'remote administration'
package called 'Net Devil'.

'Net Devil' is listening on port 901, and upon connection it is sending the
prompt: 'passed' . Another version was found to use 'passwd pleaz' as a prompt.
While port 901 is used for authentication, port 903 is used after the connection
is established to send commands.

A version of the tool was captured using THP (Tiny Honeypot). It was uploaded using the filename 'xstyles.exe'. The file itself is packed using ASPack. Kaspersky Antivirus labels the payload as TrojanDropper.Win32.Small.aj .
So far, the program does not appear to be fully functional and is not running on our test systems. However, a new version of NetDevil may be imminent.

NetDevil is discussed in some bulletin boards, and it is not clear who is
currently developing the code.

George Bakos, ISTS Dartmouth Univ. contributed to this report.