Re: virus/worm hacker attack

From: Richard Steven Hack (richardhack@SPAMHELLNOznet.com)
Date: 09/16/02 

From: Richard Steven Hack <richardhack@SPAMHELLNOznet.com>
Date: Sun, 15 Sep 2002 17:18:07 -0700

On Sun, 15 Sep 2002 18:56:26 GMT, "N. O. Spam" <nospam@NOSPAM.com>
wrote:

>A root kit goes beyond virus. You did not fix the hole, you only closed
>1 door. While the hole was open, the cracker added new holes. It isn't
>quite a virus, because you can email a virus or sneak it in...the root
>kit required finding another hole first to gain root privileges, and
>only then could it be added. If it had emailed to you and had itself
>bypassed security, you could call it a virus.

Well, no, that is a worm. A virus merely has to infect an executable
to be a virus. What we have here is what they are calling a "blended
attack" - an attack that combines the capabilities of a worm, a virus,
and perhaps a trojan (this situation was supposed to allow remote DOS
capability for the cracker, I think.)

See my reponse elsewhere - I was reading about rst.b just recently
with regard to the argument going on in alt.os.linux.mandrake about
viruses. This virus is indeed a blended attack that uses a root
exploit to deliver itself like a worm, then infects other files on the
system like a virus, and then opens channels to other systems as a
trojan.

Here is the article fron vnunet.com:
====================================================
Rare Linux virus on the loose
By James Middleton [03-01-2002]
 
'RST.b' similar to Remote Shell Trojan found in October
It has emerged in the last week that another of those rare Linux
viruses may be on the loose. And this one has strong similarities to
October's Remote Shell Trojan (RST) that was largely dismissed by the
Linux community. In a posting to a security mailing list at the end of
December, SecurityFocus brought 'RST.b' to the internet community's
attention.

The researchers warned that the culprit carrying the virus is likely
to be "some exploit being passed around, possibly a Secure Shell one".
Linux users are advised not to run exploits from unknown sources.

Once it has gained a foothold into the system, it installs a back door
and attempts to escalate its permissions to root privileges.

The basic differences to the October version are that the new virus
tries to communicate with a machine on a different IP address to the
original RST, and the backdoor operates on the Exterior Gateway
Protocol instead of the User Datagram Protocol.

Like the original RST, the virus infects binary files in the Linux
Executable and Linking Format (ELF).

RST.b infects the start address in ELF headers with an address that
points to its own code. So when an infected program is run, a parent
string forks off to run the original code so as to avoid suspicion,
while a child string "takes care of the evil stuff", according to
researchers at Lockeddown.net.

"Not only do we have a virus spreading, but it is opening up the
infected boxes to attackers," they added.

A SecurityFocus researcher who attempted to contact the host of the
web server that had infected the machines said: "The response I got
indicated that 'his account was terminated a few weeks ago'. I
received no response to a later request for clarification."
======================================================= 

-- 
The Master

"Whatever does not kill me makes me stronger"
 - and YOU have not killed me!

-----------== Posted via Newsfeed.Com - Uncensored Usenet News ==----------
   http://www.newsfeed.com       The #1 Newsgroup Service in the World!
-----= Over 100,000 Newsgroups - Unlimited Fast Downloads - 19 Servers =-----