[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: Linux security virus
The sky is falling, The sky is falling!
Just kidding but I'm not going to take this to serious. Which website
did this come from? I think is alot about nothing.
Brune, Charlie wrote:
>Here's more information about the virus I posted about this morning:
>
>>New Linux Backdoor Virus Gains Smarts
>>SOURCE: Newsbytes
>>DATE: Monday, January 7, 2002
>>
>>Newsbytes via NewsEdge Corporation : Brian McWilliams, Newsbytes. 01/05/2002
>>A new and more dangerous version of a remote-control virus that targets
>>computers running the Linux operating system may be in the wild, but security
>>experts do not expect the malicious code to spread widely.
>>According to preliminary analyses, the virus appears to be a "smarter" variant
>>of the Remote Shell Trojan (RST), discovered last September, that infects
>>programs written for Linux, an alternative to Microsoft's Windows.
>>Managed security provider Qualys obtained a copy of one new variant last month
>>from an "outside source," according to Gerhard Eschelbeck, vice president of
>>engineering. Qualys will release a detailed advisory, along with detection and
>>cleaning tools next week for the new virus, which it has labeled RST.b.
>>Like the initial RST, the new variant identified by Qualys is designed to
>>infect binary files in the Linux Executable and Linking Format (ELF) and
>>create a "back door" on an infected system that gives a remote attacker full
>>control.
>>But Eschelbeck said RST.b is more dangerous than its predecessor because it
>>contains a payload that turns the infected machine into a network "sniffer"
>>that enables the virus to identify and use any open port for communication.
>>"The sniffer function allows the backdoor process to listen for any types of
>>packets coming from any type of UDP port. This is an interesting but dangerous
>>methodology we have not seen before," he said.
>>Qualys' findings differ somewhat from a separate analysis of a new RST variant
>>identified last month by an independent security researcher who uses the
>>nickname Lockdown.
>>According to Lockdown's analysis, the virus relies on the less common exterior
>>gateway protocol (EGP) instead of the user datagram protocol (UDP). Lockdown
>>said he discovered the virus on a "wargame box," a system used for hacking
>>experiments.
>>Ryan Russell, incident handler for SecurityFocus, confirmed Lockdown's
>>analysis in a posting last week to Focus-Virus, an e-mail list operated by the
>>security consulting and information firm.
>>The differences between the samples obtained by Qualys and Lockdown raise the
>>possibility that "we may be dealing with two different new variants of RST,"
>>said Russell.
>>Qualys and SecurityFocus are attempting to reconcile the different conclusions
>>about the virus samples, and will share the code with anti-virus vendors,
>>Eschelbeck said.
>>According to Lockdown, the new RST attempts to connect to port 80 on a server
>>operated by iGlobalSales.Com of Seattle, Wa., apparently in an effort to
>>upload the Internet address of the infected system. The server was still
>>responding this afternoon.
>>Representatives of the Internet service provider were not immediately
>>available for comment.
>>To date there have been "limited" reports of the new RST variant in the wild,
>>according to Eschelbeck. To replicate, the virus requires users to run an
>>infected program from an account with "root" permissions. Upon execution, the
>>infected program will attempt to spread the virus to all ELF files on the
>>local system, he said.
>>Unlike some Windows-based viruses that travel like wildfire using
>>vulnerabilities in Microsoft's Outlook e-mail program, the new RST variant is
>>unlikely to spread widely, according to Russell.
>>Although many Linux users do not run anti-virus software, they are generally
>>more sophisticated about security threats and are unlikely to click on
>>executable e-mail attachments, he said.
>>However, Russell said it would be "dead simple" to attach the virus to a
>>useful program, such as a tool that exploits a security hole, and beguile some
>>users into running it. What's more, a malicious user could upload the virus to
>>a Linux download library.
>>"What happens if this thing finds its way onto a popular download site of some
>>sort? SourceForge would be a particularly bad one. Most people will only
>>download source code, but there are lots of binary files available too," he
>>said.
>>Uriah Welcome, an administrator for the popular SourceForge repository of open
>>source programs for Linux, said the unit of VA Software Corporation does not
>>scan files uploaded to the site for viruses.
>>"It is the duty of the project maintainer to make sure that their files are
>>free of virii ... it would be trivial for us to add something like this, (but)
>>it's just not something anyone has ever asked for," he said.
>>
>
>-
>To unsubscribe, send email to majordomo@silug.org with
>"unsubscribe silug-discuss" in the body.
>
>
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.