[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200406081710.i58HAYv09475@netsys.com>
From: dila at myrealbox.com (dila)
Subject: Possible First Crypto Virus Definitely Discovered!
j00 d0nt f00l u5
"Billy B. Bilano" <mr.bill.bilano@...il.server.unix.bill.bilano.biz> wrote:
>
>Salutations, amigos!
>
>Bill Bilano here, reporting in from the front-lines! I've got some
>disturbing news that I've got to get some answers about while I share. I
>think we're about to come under full hacker attack at any second! And to
>those people that said us folks talking about crypto viruses were being
>chicken littles... let me tell you, the sky just fell! And it is HEAVY!
>
>I was sitting at my desk doing more research on the OPENBSD virus I
>discovered last week. I was watching ethereal and monitoring the traffic
>coming in and out of the facility and I saw a ton of traffic coming straight
>for our web servers! The routers, firewalls, and intrusion detraction
>systems were not sounding the red alarms like they should have been (we'll
>get to THAT one later).
>
>There appears to be a new virus in town and it's affecting Windows and UNIX
>web servers! I have not identified a pattern of infection yet but the virus
>is clearly advancing but it only affects web servers!
>
>The virus works on port 443. It seems to accept inbound connections on that
>port as well and, presumably, awaits for commands from some series of
>servers elsewhere. Perhaps taking orders? I also captured some of the
>traffic and attempted to analyze it up but it looks like -- you heard it
>here first, folks -- the payload is encrypted! Is this the first of a coming
>storm of crypto viruses we've all been eagerly fearing? (I have already sent
>a copy of the payload to the distributed.net people so they can try to use
>some of those wasting cycles to decipher it like they did the last one!)
>
>I have taken the liberty of naming the virus already. I looked in
>etc/services and saw that this port is for and it is something called "ssl"
>so I am calling it w32.ssl.b (b for bilano, since I discovered this wretched
>thing!)
>
>I called in our webmaster and showed him the data. He is either too stupid
>to know what's going on or he takes me for a fool. I got him in the
>conference room and showed him the print outs. He tried to convince me it
>was not a virus and just normal web traffic but web traffic is on port 80!
>No fooling old Bill! LOL! So I told him to gather his stuff up and gave him
>his marching orders. I have no time for this kind of bull, what with the
>OPENBSD virus last week (still picking up the pieces there). He must have
>known I was on to him because he was just laughing on his way out the front
>door. He may have even been involved with the infection! Good riddance,
>chump!
>
>At any rate, this is your heads up, folks! You heard it here first! Be on
>the lookout for this first, very nasty CRYPTO VIRUS!
>
>P.S. I wonder if this virus was from a spam-gang?!
>
>P.P.S. Check out my bloglog in my sig!
>
>--------
>Mr. Billy B. Bilano, MSCE, CCNA
><http://www.bilano.biz/>
>Expert Sysadmin Since 2003!
>'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists