Security Researchers Uncover Mystery Malware | eWeek

Security Researchers Uncover Mystery Malware

Écrit par
Dennis Fisher
Dennis Fisher
Jun 19, 2003
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Security experts finally have a handle on mystery malware that was generating loads of suspicious IP traffic over the last few weeks.

Researchers at Internet Security Systems Inc. say the culprit, which was first thought to be a new breed of Trojan, is actually a distributed network mapping tool that also acts as a listening agent. Dubbed Stumbler, the agent is not considered malicious right now because it contains no payload, but it has the potential to generate enough IP traffic to hamper network performance.

What has experts most concerned is the ease with which Stumber could be reprogrammed to make it more damaging.

“Were really more interested in the next version because it could easily become a worm,” said Dan Ingevaldson, team lead on ISS X-Force research and development team in Atlanta, which tracked down the Stumbler agent. “You should defnitely remove it if you find it. And you should be concerned about how it got there because someone had to put it there intentionally.

“Its not very advanced,” Ingevaldson added. “The complexity and the elegance of the network is what makes it good.”

ISS officials said its impossible to say how many machines have been infected with Stumbler, though the amount of traffic being generated by the agent, which scans random IP address and looks for other versions itself, indicates at least several hundred infections.

The agent captured by ISS is in Linux binary, but researchers say it could easily be ported to other platforms and likely will be.

News of the code capture comes as a relief to investigators from several agencies, including the FBI and the Department of Homeland Security, which were also tracking the rogue IP activity.

Stumbler first appeared around May 16 and began randomly scanning Internet-connected machines. The scanning was slow at first but began to pick up speed in recent days as more machines have become infected. ISS researchers were seeing nearly 3,000 scans an hour earlier this week across the entire address space that the company monitors.

Stumbler scans random ports on random machines, each time sending an initial SYN packet. One of the few identifiable characteristics of the program is a window size of 55808 on each of the packets it transmits. It also spoofs the originating IP address on all of the packets, making them look as if theyre coming from machines in unallocated name space. The window size led some to speculate that the malware was related to the Randex IRC bot, but experts now say the TCP window size is coincidental.

ISS said it was alerted to the existence of the mystery agent by an employee at a defense contractor and later notified both the FBI and the CERT Coordination Center.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.