lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 06 Nov 2013 22:02:23 -0800 From: Jack Johnson <jack@...l.umbrellix.tk> To: Full-Disclosure@...ts.grok.org.uk Subject: I'm new here, and I already have something to share It is a user friendly report about a new worm/rootkit (only goes into worm mode when UUCP is active) that is able to, but has not yet, wreaked havoc on any system that it infects. This report does drop dox, since it mentions the handle of an EFNet user. However, all it is is a description of a currently-active rootkit. Xplatform.JPreskit rootkit User friendly report written by Jack Johnson 'j4jackj' on EFNet DESCRIPTION This newest infection is a rootkit spread by weak passwords and duff links. It was made by an EFNetter called JPres. He originally developed it on the BeOS but it is able to strike every operating system that has actual use in the world. THREAT LEVEL This threat is terminal, for once a computer is infected, if you isolate it, the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard disk on which / resides. It is able to infect Windows ia32 and amd64 architectures, Debian and RHEL 32 and 64, and the BeOS, PowerPC and Intel. Threat activation is manually, by an unsuspecting user or by the master using a weak password via SSH and RSH. PAYLOAD DELIVERY Payload delivery once the rootkit is on the computer is by Pastebin.com. Payloads are encrypted and base64 encoded. It is unknown which encryption method from those available in a default (insert form of UNIX here) install is used. The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a serial number determining the time of execution, and tag is the tag of the rooted machine. BEHAVIOUR On UNIX systems, when UUCP is enabled, this rootkit is also a worm. This rootkit/worm is able to morph by the master issuing commands to the worm. RECOMMENDED ACTION You must back up and reinstall. This rootkit may still be present after a reinstall, if you moved your files to the new installation. PREVENTION In the future, do not allow anonymous SSH into your computer, unless for things like UUCP. This will prevent future reinfection. Thank you for reading this report as a matter of urgency. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists