Stumbler mapping networks for future attacks |
 |
By Edward Hurley, SearchSecurity.com News Writer
25 Jun 2003 | SearchSecurity.com |
|
|
The recently discovered Stumbler network-mapping tool represents a variety of malware that leaves enterprises with little in the way of defense, other than to lock down networks and employ intrusion detection, experts said.
At first, some researchers considered Stumbler a Trojan horse program, but Neel Mehta, a research engineer with Atlanta-based Internet Security Systems Inc.'s X-Force research team, isn't so sure. "It's hard to characterize," he said, noting that Stumbler doesn't enable unauthorized access like a Trojan does.
Stumbler doesn't fit cleanly into a line of the malware family tree. It can be best described as a distributed network-mapping program, Mehta said. It uses a TCP SYN probe with a window size of 55808 to explore networks. Stumbler spoofs its source IP address to cloak where the probe originated.
Stumbler's job is to probe networks for open ports on hosts and firewalls. This information can then be used by the author to attack vulnerable systems. Its reconnaissance scanning is done randomly; it's not targeted at specific companies or sectors, Mehta said.
Over the last week or so, Stumbler has been probing networks looking for open ports on firewalls and hosts. That information is then sent to a now defunct IP address. The program contains several programming errors, which limits its effectiveness. On top of that, Stumbler cannot spread itself. Someone needs to consciously install it on a system.
Clearly, the version of Stumbler that exists in the wild is not that dangerous. "It isn't very serious, but the next generation of it may be much more serious," Mehta said. For example, Stumbler is fairly light on bandwidth. Another version could gobble more up to perpetrate a denial-of-service attack.
There are no specific things companies can do to protect against Stumbler. "The only way is network security best practices, such as making sure firewall rules are in place so internal networks aren't mapped," Mehta said.
Admittedly, there are times when systems have to be reachable by the outside world. By nature, Web and e-mail servers have to be outward facing. It may not be possible to protect such systems from being mapped, but having an intrusion-detection system in place would detect attacks resulting from the mapped data, Mehta said.
FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "Gartner declares IDS obsolete by 2005"
Best Web Links on network security
Listen to this archived SearchSecurity.com webcast: "Ins and outs of behavior-based intrusion detection"
FEEDBACK: Is Stumbler setting the stage for something bigger?
Send your feedback to the SearchSecurity.com news team.
|
