lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: Possible First Crypto Virus Definitely Discovered!

Bill,

>From your post, you don't seem to have a great deal of
detailed information to share about this issue...
 
> The virus works on port 443. 

Wouldn't it then be, by definition, a worm?

> It seems to accept inbound connections on that
> port as well and, presumably, awaits for commands
> from some series of
> servers elsewhere. Perhaps taking orders? 

What information do you have to support this
assumption?

> I also captured some of the
> traffic and attempted to analyze it up but it looks
> like -- you heard it
> here first, folks -- the payload is encrypted!

If this worm runs over SSL, as you say, then wouldn't
you expect it to be encrypted?  

> Is this the first of a coming
> storm of crypto viruses we've all been eagerly
> fearing? 

Is it?
http://www.us-cert.gov/current/current_activity.html#pct

http://www.cert.org/advisories/CA-2002-27.html

To be totally honest, Bill, I don't see a great deal
of information in your post that supports any of your
assertions/assumptions.  If this thing is spreading
the way you say it is, then it's a worm.  

Regardless, there isn't any information in your post
that clearly shows that this worm infects both Windows
and Unix hosts.  In fact, one thing that does seem
clear in your post is that you haven't collected any
information from the "infected" hosts, but rather all
you've got so far is network traffic via
Ethereal...and to be honest, any worm running over SSL
is going to be encrypted...
 
> At any rate, this is your heads up, folks! You heard
> it here first! Be on
> the lookout for this first, very nasty CRYPTO VIRUS!

Thanks.  Noted.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ