[Full-Disclosure] Possible First Crypto Virus Definitely Discovered!
From: Billy B. Bilano (mr.bill.bilano_at_email.server.unix.bill.bilano.biz)
To: <firstname.lastname@example.org> Date: Tue, 8 Jun 2004 10:53:29 -0500
Bill Bilano here, reporting in from the front-lines! I've got some
disturbing news that I've got to get some answers about while I share. I
think we're about to come under full hacker attack at any second! And to
those people that said us folks talking about crypto viruses were being
chicken littles... let me tell you, the sky just fell! And it is HEAVY!
I was sitting at my desk doing more research on the OPENBSD virus I
discovered last week. I was watching ethereal and monitoring the traffic
coming in and out of the facility and I saw a ton of traffic coming straight
for our web servers! The routers, firewalls, and intrusion detraction
systems were not sounding the red alarms like they should have been (we'll
get to THAT one later).
There appears to be a new virus in town and it's affecting Windows and UNIX
web servers! I have not identified a pattern of infection yet but the virus
is clearly advancing but it only affects web servers!
The virus works on port 443. It seems to accept inbound connections on that
port as well and, presumably, awaits for commands from some series of
servers elsewhere. Perhaps taking orders? I also captured some of the
traffic and attempted to analyze it up but it looks like -- you heard it
here first, folks -- the payload is encrypted! Is this the first of a coming
storm of crypto viruses we've all been eagerly fearing? (I have already sent
a copy of the payload to the distributed.net people so they can try to use
some of those wasting cycles to decipher it like they did the last one!)
I have taken the liberty of naming the virus already. I looked in
etc/services and saw that this port is for and it is something called "ssl"
so I am calling it w32.ssl.b (b for bilano, since I discovered this wretched
I called in our webmaster and showed him the data. He is either too stupid
to know what's going on or he takes me for a fool. I got him in the
conference room and showed him the print outs. He tried to convince me it
was not a virus and just normal web traffic but web traffic is on port 80!
No fooling old Bill! LOL! So I told him to gather his stuff up and gave him
his marching orders. I have no time for this kind of bull, what with the
OPENBSD virus last week (still picking up the pieces there). He must have
known I was on to him because he was just laughing on his way out the front
door. He may have even been involved with the infection! Good riddance,
At any rate, this is your heads up, folks! You heard it here first! Be on
the lookout for this first, very nasty CRYPTO VIRUS!
P.S. I wonder if this virus was from a spam-gang?!
P.P.S. Check out my bloglog in my sig!
Mr. Billy B. Bilano, MSCE, CCNA
Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS
Full-Disclosure - We believe in it.