[Full-Disclosure] raq 550 compromised
From: Feher Tamas (etomcat_at_freemail.hu)
Date: 10/07/03
- Previous message: Peter Busser: "Re: [Full-Disclosure] Bush Bashing (use to be Has Verisign time arrived ?)"
- Next in thread: Oscar Fajardo Sanchez: "Re: [Full-Disclosure] raq 550 compromised"
- Maybe reply: Oscar Fajardo Sanchez: "Re: [Full-Disclosure] raq 550 compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 7 Oct 2003 10:55:54 +0200 (CEST)
>>www.ps-lov.us/pizda.tgz
>>unknown binaries (yet?) named "mumu"
>
>compiled ptrace/kmod exploit (strings mumu).
"Linux.OSF.8759" according to Kaspersky AVP antivirus
http://www.avp.ch/avpve/newexe/unix/osf8759.stm
This is a virus which combines file infection with enhanced backdoor
capabilities, replicating on Linux systems and affecting ELF executables.
The files infected by the virus have their file size increased by 8759
bytes; of them, 3979 belong to the actual virus code while 4662 belong
to the code of a backdoor, which the virus attaches to the end of
infected files.
Although the backdoor code is copied along with the virus, it seems it
was designed in such way that it can be easily replaced with updated
versions - the backdoor is not linked into the ELF structure, but is
instead 'loaded' and executed by the virus itself. Therefore, 'improved'
versions of this virus, especially of the backdoor code can be expected
in the future.
The virus infects all the files in the current directory, but avoids infecting
files with names ending in 'ps', eg.: 'steps', or even the popular Unix
utility tool 'ps'. The virus will also avoid infecting any files at all if the
current directory is "/dev" or "/proc". To improve its chances to spread
around, if run from a root account, the virus will also attempt to infect
the executables from the "/bin" directory. In all cases, no more than
201 files are infected in one run.
The backdoor found in this version of the virus is listening on the UDP
port 3049, or if the respective port is not available, it will try to increase
the port number until one which can be used is found. The first time the
virus is run, it will pass the control to the backdoor, and the backdoor
will fork an execution thread so it can stay 'resident'. If at a later time
the virus is run again, but from a root account, the backdoor will take
care to replace the itself with a new copy, running under the root
context.
Various internal commands are available within the backdoor to directly
execute files on the target system or to launch a sniffer and forward
the traffic to another machine. One of the commands attempts to edit
the firewall rules list and wipe the first entry from there; besides that,
there are also checks to find and remove any firewall entries which
might prevent it from communicating on the hooked port, or, on the
port used to communicate with the remote machine in the case of the
sniffer.
As a precaution, the virus also attempts to prevent tracing with various
debugging utilities by spawning a copy of itself and then trying to
debug itself from the spawned copy. If any debugger is already
running, these steps will fail, and the virus will immediately terminate
execution.
Another detail is if the system uptime is 5 minutes or less, the virus will
also terminate execution, probably in order to prevent simple inspection
on 'test' machines.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Peter Busser: "Re: [Full-Disclosure] Bush Bashing (use to be Has Verisign time arrived ?)"
- Next in thread: Oscar Fajardo Sanchez: "Re: [Full-Disclosure] raq 550 compromised"
- Maybe reply: Oscar Fajardo Sanchez: "Re: [Full-Disclosure] raq 550 compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
