June 13, 2003 
New Breed of Trojan Raises Security Concerns
By Dennis Fisher

Security researchers believe they have identified a new breed of Trojan horse that is infecting machines on the Internet, possibly in preparation for a larger coordinated attack. 

However, experts have been unable to pin down many of the details of the program's behavior and are unsure how many machines might be compromised by the Trojan. 

The program scans random IP addresses and sends a probe in the form of a TCP SYN request with a window size that is always 55808. Infected hosts listen promiscuously for packets with certain identifying characteristics, including that specific window size. Experts believe that other fields within the packet's header probably give the infected host information on the IP address of the controlling host and what port to contact the host on. 

The Trojan is also capable of spoofing the source IP addresses for the packets it sends, making it much more difficult for researchers to track infected hosts. The program appears to scan IP addresses at a rate that enables it to scan about 90 percent of the IP addresses on the Internet in 24 hours, according to officials at Lancope Inc., an Atlanta-based security vendor. The company has seen the new Trojan on its own honeynet and has also observed it on the network at a university. 

The company said it was alerted to the existence of the Trojan by an employee at a defense contractor and later notified both the FBI and the CERT Coordination Center. A spokesman for the FBI confirmed that the bureau was aware of the issue, but said there was little it could do unless there's an incident. 

"Until something happens, the FBI is on the sidelines on this one," said Bill Murray, spokesman for the FBI in Washington. "There's not really anything to investigate." 

Unlike typical Trojans, the new program does not have a controller e-mail address written into the source code. 

June 16, 2003 
Researcher Leaks CERT Bulletin
By Dennis Fisher

An anonymous member of a security mailing list on Friday posted an advisory that was taken from the CERT Coordination Center. The advisory, which concerns a flaw in some Adobe PDF file readers, is in the format of a submission from a researcher to CERT, not that of a bulletin from CERT to the general public. 

This researcher, who goes by the handle Hack4life, on several previous occasions has posted CERT bulletins before the center was ready to release them. In each case, including Friday's posting, the bulletins have appeared on the Full Disclosure mailing list. 

Officials at CERT, based at Carnegie Mellon University in Pittsburgh, said the information in Hack4life's posting came from a communication that the center sent to the vendors, who get early notice of new vulnerabilities.

This was also the case with the earlier postings Hack4life made. 

"We still at this point don't know which vendor it is [who's leaking the information]," said Jeffrey Carpenter, manager of CERT. 

In the most recent posting, Hack4life includes a few clues about his identity, although it's impossible to tell whether they're real, Carpenter said. 

"OK, so I've been a bit quiet recently, what with college and exams. But the semester's nearly over now so I'll have plenty of time to keep you all up to date with what those fools at CERT are up to once college is finished," he writes in the posting. 

CERT had plans to release its advisory on the PDF reader issue June 23, according to Hack4life's posting, but Carpenter said no decision has been made on a release date. "We're getting back in contact  with the vendors, as we would with any vulnerability that was leaked to the public," he said. 

The vulnerability appears in Adobe Systems Inc.'s Acrobat Reader and a handful of other similar programs and enables a local user to gain root privileges. The flaw allows attackers to execute shell commands on vulnerable machines by embedding them in PDF documents. The vulnerability affects readers on most Unix-based operating systems, according to the submission to CERT.