lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 06 Nov 2013 22:02:23 -0800
From: Jack Johnson <jack@...l.umbrellix.tk>
To: Full-Disclosure@...ts.grok.org.uk
Subject: I'm new here,
	and I already have something to share

It is a user friendly report about a new worm/rootkit (only goes into 
worm mode when UUCP is active) that is able to, but has not yet, wreaked 
havoc on any system that it infects.

This report does drop dox, since it mentions the handle of an EFNet 
user. However, all it is
is a description of a currently-active rootkit.

Xplatform.JPreskit rootkit

User friendly report written by Jack Johnson
'j4jackj' on EFNet

	DESCRIPTION
This newest infection is a rootkit spread by weak passwords and duff links.
It was made by an EFNetter called JPres. He originally developed it on 
the BeOS
but it is able to strike every operating system that has actual use in 
the world.

	THREAT LEVEL
This threat is terminal, for once a computer is infected, if you isolate it,
the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard 
disk on which /
resides.

It is able to infect Windows ia32 and amd64 architectures, Debian and 
RHEL 32 and 64,
and the BeOS, PowerPC and Intel.

Threat activation is manually, by an unsuspecting user or by the master 
using a weak
password via SSH and RSH.

	PAYLOAD DELIVERY
Payload delivery once the rootkit is on the computer is by Pastebin.com.
Payloads are encrypted and base64 encoded. It is unknown which 
encryption method
from those available in a default (insert form of UNIX here) install is 
used.

The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a
serial number determining the time of execution, and tag is the
tag of the rooted machine.

	BEHAVIOUR
On UNIX systems, when UUCP is enabled, this rootkit is also a worm.
This rootkit/worm is able to morph by the master issuing commands to the
worm.

	RECOMMENDED ACTION
You must back up and reinstall. This rootkit may still be present after 
a reinstall,
if you moved your files to the new installation.

	PREVENTION
In the future, do not allow anonymous SSH into your computer, unless for 
things like UUCP.
This will prevent future reinfection.

Thank you for reading this report as a matter of urgency.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists