| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0cd101c6350f$28f14580$0100a8c0@nuclearwinter> Date: Sun Feb 19 04:43:35 2006 From: fd at g-0.org (GroundZero Security) Subject: new linux malware oh my god this is a stone old DoS irc bot. you can find the source on packetstorm :P its by no means "new" maybe it has been modified by some kid that changed the printf()'s, but this is no news at all. -sk http://www.groundzero-security.com ----- Original Message ----- From: "Gadi Evron" <ge@...uxbox.org> To: <bugtraq@...urityfocus.com> Cc: <full-disclosure@...ts.grok.org.uk> Sent: Saturday, February 18, 2006 11:40 PM Subject: [Full-disclosure] new linux malware > Today, we received a notification about a new Linux malware ItW (In the > Wild). > > Chas Tomlin (http://www.ecs.soton.ac.uk/~cet/) provided Shadowserver > (http://www.shadowserver.org/) and Nicholas Alright who notified the > relevant operational communities, with the information on the binaries. > He captured them with squil (http://sguil.sourceforge.net/). > > Chas is working with Shadowserver to identify better ways to > trackdown/takedown botnets. > > *The credit should go to him and Shadowserver*. > > Shadowserver has been a responsible and essential part of recent > Internet security activities. > > As anti virus vendors have been notified will soon do a write-up on it, > I see no reason not to publicize it here. > > MD5: > c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq > e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session > > We are not quite sure as of yet exactly what this does, it can be a > Linux virus, a Linux Trojan horse, a Linux worm... we are not even sure > if the checksums above are useful at all. We hope to know more soon and > we will update as we do. > > There are some interesting strings to be noted: > > NOTICE %s :TSUNAMI <target> <secs> = Special > packeter > that wont be blocked by most firewalls > NOTICE %s :PAN <target> <port> <secs> = An > advanced syn > flooder that will kill most network drivers > NOTICE %s :UDP <target> <port> <secs> = A udp flooder > NOTICE %s :UNKNOWN <target> <secs> = Another > non-spoof udp flooder > NOTICE %s :NICK <nick> = Changes > the nick > of the client > NOTICE %s :SERVER <server> = Changes > servers > NOTICE %s :GETSPOOFS = Gets the > current > spoofing > NOTICE %s :SPOOFS <subnet> = Changes > spoofing > to a subnet > NOTICE %s :DISABLE = Disables all > packeting from this client > NOTICE %s :ENABLE = Enables all > packeting from this client > NOTICE %s :KILL = Kills the > client > NOTICE %s :GET <http address> <save as> = Downloads > a file > off the web and saves it onto the hd > NOTICE %s :VERSION = Requests > version > of client > NOTICE %s :KILLALL = Kills all > current packeting > NOTICE %s :HELP = Displays this > NOTICE %s :IRC <command> = Sends this > command to the server > NOTICE %s :SH <command> = Executes a > command > > 'session', current detection: > AntiVir 6.33.1.50/20060218 found [BDS/Katien.R] > Avast 4.6.695.0/20060216 found nothing > AVG 718/20060217 found nothing > Avira 6.33.1.50/20060218 found [BDS/Katien.R] > BitDefender 7.2/20060218 found nothing > CAT-QuickHeal 8.00/20060216 found nothing > ClamAV devel-20060126/20060217 found nothing > DrWeb 4.33/20060218 found nothing > eTrust-InoculateIT 23.71.80/20060218 found nothing > eTrust-Vet 12.4.2086/20060217 found nothing > Ewido 3.5/20060218 found nothing > Fortinet 2.69.0.0/20060218 found nothing > F-Prot 3.16c/20060217 found nothing > Ikarus 0.2.59.0/20060217 found [Backdoor.Linux.Keitan.C] > Kaspersky 4.0.2.24/20060218 found [Backdoor.Linux.Keitan.c] > McAfee 4700/20060217 found [Linux/DDoS-Kaiten] > NOD32v2 1.1413/20060217 found nothing > Norman 5.70.10/20060217 found nothing > Panda 9.0.0.4/20060218 found nothing > Sophos 4.02.0/20060218 found nothing > Symantec 8.0/20060218 found [Backdoor.Kaitex] > TheHacker 5.9.4.098/20060218 found nothing > UNA 1.83/20060216 found nothing > VBA32 3.10.5/20060217 found nothing > > 'derfiq' current detection: > AntiVir 6.33.1.50/20060218 found [Worm/Linux.Lupper.B] > Avast 4.6.695.0/20060216 found nothing > AVG 718/20060217 found nothing > Avira 6.33.1.50/20060218 found [Worm/Linux.Lupper.B] > BitDefender 7.2/20060218 found nothing > CAT-QuickHeal 8.00/20060216 found nothing > ClamAV devel-20060126/20060217 found nothing > DrWeb 4.33/20060218 found nothing > eTrust-InoculateIT 23.71.80/20060218 found nothing > eTrust-Vet 12.4.2086/20060217 found nothing > Ewido 3.5/20060218 found nothing > Fortinet 2.69.0.0/20060218 found nothing > F-Prot 3.16c/20060217 found nothing > Ikarus 0.2.59.0/20060217 found [Net-Worm.Linux.Lupper.B] > Kaspersky 4.0.2.24/20060218 found nothing > McAfee 4700/20060217 found nothing > NOD32v2 1.1413/20060217 found nothing > Norman 5.70.10/20060217 found nothing > Panda 9.0.0.4/20060218 found nothing > Sophos 4.02.0/20060218 found nothing > Symantec 8.0/20060218 found [Hacktool] > TheHacker 5.9.4.098/20060218 found nothing > UNA 1.83/20060216 found nothing > VBA32 3.10.5/20060217 found nothing > > This write-up can be found here: > http://blogs.securiteam.com/index.php/archives/303 > > We will notify as we get new updates here: > http://blogs.securiteam.com > > Gadi. > > -- > http://blogs.securiteam.com/ > > "Out of the box is where I live". > -- Cara "Starbuck" Thrace, Battlestar Galactica. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists