[iwar] [fc:New.Linux.Backdoor.Virus.Gains.Smarts]

From: Fred Cohen (fc@all.net)
Date: 2002-01-07 17:17:45
Next message: Fred Cohen: "[iwar] [fc:NIPC.2001.Report]"
Previous message: Fred Cohen: "[iwar] [fc:Report.warns.of.al-Qaeda's.potential.cybercapabilities]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200201080117.g081HjO02674@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Mon, 7 Jan 2002 17:17:45 -0800 (PST)
Subject: [iwar] [fc:New.Linux.Backdoor.Virus.Gains.Smarts]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

New Linux Backdoor Virus Gains Smarts 
By Brian McWilliams, Newsbytes, 1/7/2002
<a href="http://www.newsbytes.com/news/02/173408.html">http://www.newsbytes.com/news/02/173408.html>

A new and more dangerous version of a remote-control virus that targets
computers running the Linux operating system may be in the wild, but
security experts do not expect the malicious code to spread widely. 
According to preliminary analyses, the virus appears to be a "smarter"
variant of the Remote Shell Trojan (RST), discovered last September,
that infects programs written for Linux, an alternative to Microsoft's
Windows. 
Managed security provider Qualys obtained a copy of one new variant last
month from an "outside source," according to Gerhard Eschelbeck, vice
president of engineering. Qualys will release a detailed advisory, along
with detection and cleaning tools next week for the new virus, which it
has labeled RST.b. 
Like the initial RST, the new variant identified by Qualys is designed
to infect binary files in the Linux Executable and Linking Format (ELF)
and create a "back door" on an infected system that gives a remote
attacker full control. 
But Eschelbeck said RST.b is more dangerous than its predecessor because
it contains a payload that turns the infected machine into a network
"sniffer" that enables the virus to identify and use any open port for
communication. 
"The sniffer function allows the backdoor process to listen for any
types of packets coming from any type of UDP port. This is an
interesting but dangerous methodology we have not seen before," he said. 
Qualys' findings differ somewhat from a separate analysis of a new RST
variant identified last month by an independent security researcher who
uses the nickname Lockdown. 
According to Lockdown's analysis, the virus relies on the less common
exterior gateway protocol (EGP) instead of the user datagram protocol
(UDP). Lockdown said he discovered the virus on a "wargame box," a
system used for hacking experiments. 
Ryan Russell, incident handler for SecurityFocus, confirmed Lockdown's
analysis in a posting last week to Focus-Virus, an e-mail list operated
by the security consulting and information firm. 
The differences between the samples obtained by Qualys and Lockdown
raise the possibility that "we may be dealing with two different new
variants of RST," said Russell. 
Qualys and SecurityFocus are attempting to reconcile the different
conclusions about the virus samples, and will share the code with
anti-virus vendors, Eschelbeck said. 
According to Lockdown, the new RST attempts to connect to port 80 on a
server operated by iGlobalSales.Com of Seattle, Wa., apparently in an
effort to upload the Internet address of the infected system. The server
was still responding this afternoon. 
Representatives of the Internet service provider were not immediately
available for comment. 
To date there have been "limited" reports of the new RST variant in the
wild, according to Eschelbeck. To replicate, the virus requires users to
run an infected program from an account with "root" permissions. Upon
execution, the infected program will attempt to spread the virus to all
ELF files on the local system, he said. 
Unlike some Windows-based viruses that travel like wildfire using
vulnerabilities in Microsoft's Outlook e-mail program, the new RST
variant is unlikely to spread widely, according to Russell. 
Although many Linux users do not run anti-virus software, they are
generally more sophisticated about security threats and are unlikely to
click on executable e-mail attachments, he said. 
However, Russell said it would be "dead simple" to attach the virus to a
useful program, such as a tool that exploits a security hole, and
beguile some users into running it. What's more, a malicious user could
upload the virus to a Linux download library. 
"What happens if this thing finds its way onto a popular download site
of some sort? SourceForge would be a particularly bad one. Most people
will only download source code, but there are lots of binary files
available too," he said. 
Uriah Welcome, an administrator for the popular SourceForge repository
of open source programs for Linux, said the unit of VA Software
Corporation does not scan files uploaded to the site for viruses. 
"It is the duty of the project maintainer to make sure that their files
are free of virii ... it would be trivial for us to add something like
this, (but) it's just not something anyone has ever asked for," he said. 
Qualys is on the Web at http://www.qualys.com 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Tiny Wireless Camera under $80!
Order Now! FREE VCR Commander!
Click Here - Only 1 Day Left!
http://us.click.yahoo.com/WoOlbB/7.PDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:NIPC.2001.Report]"
Previous message: Fred Cohen: "[iwar] [fc:Report.warns.of.al-Qaeda's.potential.cybercapabilities]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2002-12-31 02:15:02 PST