lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: etomcat at freemail.hu (Feher Tamas) Subject: raq 550 compromised >>www.ps-lov.us/pizda.tgz >>unknown binaries (yet?) named "mumu" > >compiled ptrace/kmod exploit (strings mumu). "Linux.OSF.8759" according to Kaspersky AVP antivirus http://www.avp.ch/avpve/newexe/unix/osf8759.stm This is a virus which combines file infection with enhanced backdoor capabilities, replicating on Linux systems and affecting ELF executables. The files infected by the virus have their file size increased by 8759 bytes; of them, 3979 belong to the actual virus code while 4662 belong to the code of a backdoor, which the virus attaches to the end of infected files. Although the backdoor code is copied along with the virus, it seems it was designed in such way that it can be easily replaced with updated versions - the backdoor is not linked into the ELF structure, but is instead 'loaded' and executed by the virus itself. Therefore, 'improved' versions of this virus, especially of the backdoor code can be expected in the future. The virus infects all the files in the current directory, but avoids infecting files with names ending in 'ps', eg.: 'steps', or even the popular Unix utility tool 'ps'. The virus will also avoid infecting any files at all if the current directory is "/dev" or "/proc". To improve its chances to spread around, if run from a root account, the virus will also attempt to infect the executables from the "/bin" directory. In all cases, no more than 201 files are infected in one run. The backdoor found in this version of the virus is listening on the UDP port 3049, or if the respective port is not available, it will try to increase the port number until one which can be used is found. The first time the virus is run, it will pass the control to the backdoor, and the backdoor will fork an execution thread so it can stay 'resident'. If at a later time the virus is run again, but from a root account, the backdoor will take care to replace the itself with a new copy, running under the root context. Various internal commands are available within the backdoor to directly execute files on the target system or to launch a sniffer and forward the traffic to another machine. One of the commands attempts to edit the firewall rules list and wipe the first entry from there; besides that, there are also checks to find and remove any firewall entries which might prevent it from communicating on the hooked port, or, on the port used to communicate with the remote machine in the case of the sniffer. As a precaution, the virus also attempts to prevent tracing with various debugging utilities by spawning a copy of itself and then trying to debug itself from the spawned copy. If any debugger is already running, these steps will fail, and the virus will immediately terminate execution. Another detail is if the system uptime is 5 minutes or less, the virus will also terminate execution, probably in order to prevent simple inspection on 'test' machines.
Powered by blists - more mailing lists