Re: Systems compromised with ShellBOT perl script - part 2

From: Kirby Angell (kangell_at_alertra.com)
Date: 09/09/04

  • Next message: Andrew Smith: "Re: Odd mail traffic" 
    Date: Thu, 09 Sep 2004 12:19:02 -0500
To: Incidents List <incidents@securityfocus.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Sure enough, I ran it as root in my VMWare install and it infected a
    bunch of files in /bin.

    For some reason, tcpdump isn't catching any of the traffic it generates
    though. I've tried it on the host against the vmnet8 interface and from
    within the VM (after chmod'ing /dev/vmnet). I'm going to try it again
    with a clean VM install.

    Shashank Rai wrote:
    | Hi Kirby,
    |
    | great work!! is it possible to get the gzipped files? BTW as for doze4
    | ... a scan with f-prot (linux cmd line edition) identifies it as
    | "Infection: Unix/RST.B". An online scan on
    | http://www.kaspersky.com/remoteviruschk.html also identifies doze4 as
    | Linux.RST.b
    | Here is Spohos description of RST.B (from
    | http://www.sophos.com/virusinfo/analyses/linuxrstb.html):
    | ------
    | Linux/Rst-B will attempt to infect all ELF executables in the current
    | working directory and the directory /bin
    |
    | If Linux/Rst-B is executed by a privileged user then it may attempt to
    | create a backdoor on the system. This is achieved by opening a socket
    | and listening for a particular packet containing details about the
    | origin of the attacker and the command the attacker would like to
    | execute on the system.
    | -----------

    - --
    Thank you,

    Kirby Angell
    Get notified anytime your website goes down!
    http://www.alertra.com
    key: 9004F4C0
    fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBQJCG21unUZAE9MARAjS4AJsGTKXE6NzWIB/LEhCzOcf6FT+lqgCfVR7I
    VasdVjiLdYO8SA4aXhVDZnQ=
    =rzVd
    -----END PGP SIGNATURE-----

  • Next message: Andrew Smith: "Re: Odd mail traffic"

    Relevant Pages

    • Re: Systems compromised with ShellBOT perl script - part 2
      ... BTW as for doze4 ... | "Infection: Unix/RST.B". ... | Linux/Rst-B will attempt to infect all ELF executables in the current ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
      (Incidents)
    • Re: Best Practice in tackling a suspected virus/worm infection? (ms)
      ... the virus instance and left the legitimate ones alone. ... by the hacker after initial infection. ... >executables - do they get infected? ...
      (microsoft.public.security.virus)
    • Re: New Linux Trojan
      ... Subject: New Linux Trojan ... You guys are forgetting the other problem, Buffer Overflows, in SUID executables could in theory ... cause this to be a source of infection as well, ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
      (Incidents)
    • Re: Re:Virus
      ... You could pick a restore point which was already infected, ... files associated with the trojan won't be, nor would executables disguised ... no system restore would not be a ... > infection, then you may have to do a reformat of your hard ...
      (microsoft.public.security.virus)
    • Re: weird symptom - possible infection
      ... if you suspect an infection try looking at the output ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
      (Debian-User)