lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4BCFEFE94E59DB4D83215DA00C3C61E76158EF@frodo.pyron.com>
From: sboone at pyrontechnologies.com (Steve Boone)
Subject: Possible First Crypto Virus Definitely Discovered!

How about renaming it to w32@....id10.t?  More fitting methinks.  :-)

-----Original Message-----
From: Billy B. Bilano
[mailto:mr.bill.bilano@...il.server.unix.bill.bilano.biz] 
Sent: Tuesday, June 08, 2004 9:53 AM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


Salutations, amigos!

Bill Bilano here, reporting in from the front-lines! I've got some
disturbing news that I've got to get some answers about while I share. I
think we're about to come under full hacker attack at any second! And to
those people that said us folks talking about crypto viruses were being
chicken littles... let me tell you, the sky just fell! And it is HEAVY!

I was sitting at my desk doing more research on the OPENBSD virus I
discovered last week. I was watching ethereal and monitoring the traffic
coming in and out of the facility and I saw a ton of traffic coming
straight
for our web servers! The routers, firewalls, and intrusion detraction
systems were not sounding the red alarms like they should have been
(we'll
get to THAT one later).

There appears to be a new virus in town and it's affecting Windows and
UNIX
web servers! I have not identified a pattern of infection yet but the
virus
is clearly advancing but it only affects web servers!

The virus works on port 443. It seems to accept inbound connections on
that
port as well and, presumably, awaits for commands from some series of
servers elsewhere. Perhaps taking orders? I also captured some of the
traffic and attempted to analyze it up but it looks like -- you heard it
here first, folks -- the payload is encrypted! Is this the first of a
coming
storm of crypto viruses we've all been eagerly fearing? (I have already
sent
a copy of the payload to the distributed.net people so they can try to
use
some of those wasting cycles to decipher it like they did the last one!)

I have taken the liberty of naming the virus already. I looked in
etc/services and saw that this port is for and it is something called
"ssl"
so I am calling it w32.ssl.b (b for bilano, since I discovered this
wretched
thing!)

I called in our webmaster and showed him the data. He is either too
stupid
to know what's going on or he takes me for a fool. I got him in the
conference room and showed him the print outs. He tried to convince me
it
was not a virus and just normal web traffic but web traffic is on port
80!
No fooling old Bill! LOL! So I told him to gather his stuff up and gave
him
his marching orders. I have no time for this kind of bull, what with the
OPENBSD virus last week (still picking up the pieces there). He must
have
known I was on to him because he was just laughing on his way out the
front
door. He may have even been involved with the infection! Good riddance,
chump!

At any rate, this is your heads up, folks! You heard it here first! Be
on
the lookout for this first, very nasty CRYPTO VIRUS!

P.S. I wonder if this virus was from a spam-gang?!

P.P.S. Check out my bloglog in my sig!

--------
Mr. Billy B. Bilano, MSCE, CCNA
<http://www.bilano.biz/>
Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ