|
Media Contacts:
VIRUS ALERT: Lancope Confirms Discovery of Third-Generation Internet Trojan Horse New Threat Poses Unlimited Risks and Renders Traditional Detection Means Ineffective ATLANTA, Ga., June 9, 2003 - Lancope, Inc., the leading provider of Advanced Threat Protection solutions, today confirmed a new type of network attack, a third-generation Trojan horse that is infecting networks across the globe. Characterized by a TCP SYN probe with a window size of 55808, the latest Trojan horse bypasses traditional detection methods and can potentially launch a coordinated Distributed Denial of Service (DDoS) of crippling magnitude or transmit confidential information to an unauthorized recipient. Based on evidence collected by Faron Golden, a senior security analyst with a defense contractor, Lancope confirmed the behavior of malicious probe packets on its own large honeynet and on the network of a large university. Currently, these probes are being seen at a rate that would lead to 63% of the IP addresses on the Internet being probed every 17 hours. More evasive than its predecessors, the third-generation Trojan horse listens promiscuously for packets with specific identifying characteristics, in this case a TCP window size of 55808, embedded in the packet header. Other fields within the header, such as sequence number and port number, likely convey encrypted information about the destination (controller) IP and port to be used by the infected host for subsequent communication. The third-generation Trojan horse eliminates the weaknesses of the prior two generations. The first-generation of network Trojans had hard-coded contact email/IP addresses within them. However, virus scanners easily uncovered the code and contact addresses, allowing the infected hosts to be cleaned and contacted hosts to be closed down. The second-generation of Trojan horses would listen on specific TCP or UDP ports for packets whose return addresses would be used to contact Controllers, often other compromised hosts. Signature-based Intrusion Detection Systems (IDSs) quickly detected Controllers scanning for these ports while security scanners detected hosts listening on those ports. "This new generation of Trojan horses makes it far more difficult to detect either the Controller IP address or the Trojan-infected hosts. In these cases where the Controller-Trojan connection cannot be detected, a behavior-based intrusion detection solution such as StealthWatch™ is critical," said Dr. John Copeland, founder, chairman and chief scientist with Lancope. By detecting deviations from typical server and client port usage of all local hosts, traffic limits and internal/external Zone connection, StealthWatch offers the ability to detect the abnormal behaviors that occur after hosts are compromised and are being controlled for whatever cause, including third-generation Trojans. "Signature-based IDSs and conventional attack detection methods are not capable of detecting third-generation Trojan horses. The ability to identify hosts that have been compromised by any technique demonstrates the value of StealthWatch's behavior-based approach to monitoring network activity," added Dr. Copeland. "StealthWatch's flow-based architecture continues to provide customers with the ability to detect unknown, mutated and encrypted attacks." Upon confirming the new attack method, Lancope immediately notified both CERT and the FBI. Lancope's award-winning Advanced Threat Protection solutions ensure business continuity and protect digital assets by providing comprehensive security and network intelligence, detecting zero-day attacks and enforcing security policies across the network and its devices. The Lancope product line includes the StealthWatch appliance for behavior-based intrusion detection and the StealthWatch Management Console™ for centralized, graphical web-based management of multiple StealthWatch appliances. About Lancope and StealthWatch™
|