[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: Linux security virus

Here's more information about the virus I posted about this morning:

> New Linux Backdoor Virus Gains Smarts
> SOURCE: Newsbytes 
> DATE: Monday, January 7, 2002 
> Newsbytes via NewsEdge Corporation : Brian McWilliams, Newsbytes. 01/05/2002 
> A new and more dangerous version of a remote-control virus that targets
> computers running the Linux operating system may be in the wild, but security
> experts do not expect the malicious code to spread widely. 
> According to preliminary analyses, the virus appears to be a "smarter" variant
> of the Remote Shell Trojan (RST), discovered last September, that infects
> programs written for Linux, an alternative to Microsoft's Windows. 
> Managed security provider Qualys obtained a copy of one new variant last month
> from an "outside source," according to Gerhard Eschelbeck, vice president of
> engineering. Qualys will release a detailed advisory, along with detection and
> cleaning tools next week for the new virus, which it has labeled RST.b. 
> Like the initial RST, the new variant identified by Qualys is designed to
> infect binary files in the Linux Executable and Linking Format (ELF) and
> create a "back door" on an infected system that gives a remote attacker full
> control. 
> But Eschelbeck said RST.b is more dangerous than its predecessor because it
> contains a payload that turns the infected machine into a network "sniffer"
> that enables the virus to identify and use any open port for communication. 
> "The sniffer function allows the backdoor process to listen for any types of
> packets coming from any type of UDP port. This is an interesting but dangerous
> methodology we have not seen before," he said. 
> Qualys' findings differ somewhat from a separate analysis of a new RST variant
> identified last month by an independent security researcher who uses the
> nickname Lockdown. 
> According to Lockdown's analysis, the virus relies on the less common exterior
> gateway protocol (EGP) instead of the user datagram protocol (UDP). Lockdown
> said he discovered the virus on a "wargame box," a system used for hacking
> experiments. 
> Ryan Russell, incident handler for SecurityFocus, confirmed Lockdown's
> analysis in a posting last week to Focus-Virus, an e-mail list operated by the
> security consulting and information firm. 
> The differences between the samples obtained by Qualys and Lockdown raise the
> possibility that "we may be dealing with two different new variants of RST,"
> said Russell. 
> Qualys and SecurityFocus are attempting to reconcile the different conclusions
> about the virus samples, and will share the code with anti-virus vendors,
> Eschelbeck said. 
> According to Lockdown, the new RST attempts to connect to port 80 on a server
> operated by iGlobalSales.Com of Seattle, Wa., apparently in an effort to
> upload the Internet address of the infected system. The server was still
> responding this afternoon. 
> Representatives of the Internet service provider were not immediately
> available for comment. 
> To date there have been "limited" reports of the new RST variant in the wild,
> according to Eschelbeck. To replicate, the virus requires users to run an
> infected program from an account with "root" permissions. Upon execution, the
> infected program will attempt to spread the virus to all ELF files on the
> local system, he said. 
> Unlike some Windows-based viruses that travel like wildfire using
> vulnerabilities in Microsoft's Outlook e-mail program, the new RST variant is
> unlikely to spread widely, according to Russell. 
> Although many Linux users do not run anti-virus software, they are generally
> more sophisticated about security threats and are unlikely to click on
> executable e-mail attachments, he said. 
> However, Russell said it would be "dead simple" to attach the virus to a
> useful program, such as a tool that exploits a security hole, and beguile some
> users into running it. What's more, a malicious user could upload the virus to
> a Linux download library. 
> "What happens if this thing finds its way onto a popular download site of some
> sort? SourceForge would be a particularly bad one. Most people will only
> download source code, but there are lots of binary files available too," he
> said. 
> Uriah Welcome, an administrator for the popular SourceForge repository of open
> source programs for Linux, said the unit of VA Software Corporation does not
> scan files uploaded to the site for viruses. 
> "It is the duty of the project maintainer to make sure that their files are
> free of virii ... it would be trivial for us to add something like this, (but)
> it's just not something anyone has ever asked for," he said. 

To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.