| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dila at myrealbox.com (dila) Subject: Possible First Crypto Virus Definitely Discovered! j00 d0nt f00l u5 "Billy B. Bilano" <mr.bill.bilano@...il.server.unix.bill.bilano.biz> wrote: > >Salutations, amigos! > >Bill Bilano here, reporting in from the front-lines! I've got some >disturbing news that I've got to get some answers about while I share. I >think we're about to come under full hacker attack at any second! And to >those people that said us folks talking about crypto viruses were being >chicken littles... let me tell you, the sky just fell! And it is HEAVY! > >I was sitting at my desk doing more research on the OPENBSD virus I >discovered last week. I was watching ethereal and monitoring the traffic >coming in and out of the facility and I saw a ton of traffic coming straight >for our web servers! The routers, firewalls, and intrusion detraction >systems were not sounding the red alarms like they should have been (we'll >get to THAT one later). > >There appears to be a new virus in town and it's affecting Windows and UNIX >web servers! I have not identified a pattern of infection yet but the virus >is clearly advancing but it only affects web servers! > >The virus works on port 443. It seems to accept inbound connections on that >port as well and, presumably, awaits for commands from some series of >servers elsewhere. Perhaps taking orders? I also captured some of the >traffic and attempted to analyze it up but it looks like -- you heard it >here first, folks -- the payload is encrypted! Is this the first of a coming >storm of crypto viruses we've all been eagerly fearing? (I have already sent >a copy of the payload to the distributed.net people so they can try to use >some of those wasting cycles to decipher it like they did the last one!) > >I have taken the liberty of naming the virus already. I looked in >etc/services and saw that this port is for and it is something called "ssl" >so I am calling it w32.ssl.b (b for bilano, since I discovered this wretched >thing!) > >I called in our webmaster and showed him the data. He is either too stupid >to know what's going on or he takes me for a fool. I got him in the >conference room and showed him the print outs. He tried to convince me it >was not a virus and just normal web traffic but web traffic is on port 80! >No fooling old Bill! LOL! So I told him to gather his stuff up and gave him >his marching orders. I have no time for this kind of bull, what with the >OPENBSD virus last week (still picking up the pieces there). He must have >known I was on to him because he was just laughing on his way out the front >door. He may have even been involved with the infection! Good riddance, >chump! > >At any rate, this is your heads up, folks! You heard it here first! Be on >the lookout for this first, very nasty CRYPTO VIRUS! > >P.S. I wonder if this virus was from a spam-gang?! > >P.P.S. Check out my bloglog in my sig! > >-------- >Mr. Billy B. Bilano, MSCE, CCNA ><http://www.bilano.biz/> >Expert Sysadmin Since 2003! >'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists