Security Researchers Feverishly Track New Trojan

Dan Ingevaldson, team leader for Internet Security Systems' X-Force R&D unit, says researchers are studying the Trojan--currently dubbed 55808 for its Windows size--which has been causing confusion for about a month in security circles. Security experts managed to capture their first copy of the Trojan on Wednesday, and they're still working to determine exactly what the Trojan is trying to accomplish.

One thing is clear: Trojan 55808 is sneakier than previous Trojan horses. It doesn't self-propagate, like a virus or a worm, and requires the attacker to plant it on systems. But it does transmit a lot of network noise designed to throw off cybersleuths attempting to find the IP addresses of infected systems, as well as the address of the Trojan's writer or controller.

"For each machine that is infected, it will throw off 1,000 fake or spoofed IP addresses," Ingevaldson says.

Furthermore, the Trojan is part of a distributed network that security researchers have yet to completely understand. "All of these Trojan agents, or zombies, are working together," Ingevaldson says, "though there isn't a direct communication channel. Someone is trying to map Internet-connected networks."

The Trojan currently attacks Linux-based systems, Ingevaldson says, but it could easily be ported to other operating-system platforms. Many businesses use Linux as the operating system for their Web servers.

So far, it hasn't been possible to determine the number of infected systems, says Ingevaldson, who adds that the Trojan could be an experiment. Says Ingevaldson, "It seems to be a platform to technically see if this widespread network mapping can be done."

This story courtesy of InformationWeek./i>