Around the middle of May, 2003 security researchers and administrators noticed an increase in port scans. The scanning was slow at first, but in recent weeks has rapidly picked up steam. Nobody could pinpoint where the activity was coming from. The single identifiable trait seemed to be that all of the TCPpackets have a window size of 55808.

As the scanning activity increased it gained more attention from the security industry, the FBI and the Department of Homeland Security.

Everyone wanted to know what this scanning activity was about and where it was coming from.

The Trojan proved quite elusive though. Its source IP address and MAC address were both spoofed so there was no way to trace it back to its origination point by capturing any of the packets. Without being able to trace the packets back to their source researchers were left guessing at what the programming behind this Trojan was designed to do.

So there are thousands of TCP packets bouncing around with a window size of 55808 targeting random ports on random IP addresses. The SYN packet being transmitted from the source could not receive a reply because the source information in the packet was spoofed so it wouldn?t know how to get back to the originating machine.

Researchers theorized that while the reply packets could not get to their true source the Trojan agent was most likely designed to listen for network traffic with the specific window size of 55808. By doing so it could capture the replies from other scans and collect the information regarding which ports and IP addresses were open.

Chris Hovis of Lancope, Inc., an Atlanta-based security firm, stated that at the rate the scanning was occurring all IP addresses on the Internet could be scanned every 27 hours.

Earlier this week researchers were finally able to find an infected machine to analyze the source code and determine what makes this thing tick. ISS (Internet Security Systems) determined that the Trojan was a distributed network mapping system and dubbed it Stumbler.

Stumbler is not currently considered malicious code because it does not contain any payload or destructive capability. The code that was analyzed did not contain any ability to infect other systems or propagate itself in any way.

It did contain a single hard-coded IP address that was used to send the harvested scanning information to. Stumbler would also check for connectivity to this external IP address and if it could not detect it Stumbler is set to shut itself down and attempt to delete itself from the system.