Re: Possible First Crypto Virus Definitely Discovered!

["VB" <vb () bitsmart com>]

Surely this is a poor attempt at comedy.........
fyi,
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the
security of a message transmission on the Internet. SSL has recently been
succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses
a program layer located between the Internet's Hypertext Transfer Protocol
(HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part
of both the Microsoft and Netscape browsers and most Web server products.
Developed by Netscape, SSL also gained the support of Microsoft and other
Internet client/server developers as well and became the de facto standard
until evolving into Transport Layer Security. The "sockets" part of the term
refers to the sockets method of passing data back and forth between a client
and a server program in a network or between program layers in the same
computer. SSL uses the public-and-private key encryption system from RSA,
which also includes the use of a digital certificate.
TLS and SSL are an integral part of most Web browsers (clients) and Web
servers. If a Web site is on a server that supports SSL, SSL can be enabled
and specific Web pages can be identified as requiring SSL access. Any Web
server can be enabled by using Netscape's SSLRef program library which can
be downloaded for noncommercial use or licensed for commercial use.

TLS and SSL are not interoperable. However, a message sent with TLS can be
handled by a client that handles SSL but not TLS.


----- Original Message ----- 
From: "Billy B. Bilano" <mr.bill.bilano () email server unix bill bilano biz>
To: <full-disclosure () lists netsys com>
Sent: Tuesday, June 08, 2004 1:05 PM
Subject: Re: [Full-disclosure] Possible First Crypto Virus Definitely
Discovered!


> Hi Harlan! Thanks for your reply... hard to make heads or tails of what
you
> are saying though...
>
> > Wouldn't it then be, by definition, a worm?
>
> A worm or whatever you want to call it, that's cool. I just thought
"virus"
> sounds more alarming than worm! Everybody has had a worm or two, but a
virus
> is a tough cookie to crack!
>
>
> > What information do you have to support this
> > assumption?
>
> Because it is attacking our web servers and it seems to have somehow
gotten
> installed on our web servers at the same time! I don't know how it got in,
> but there is traffic going in and out of the servers on port 443 with an
> encrypted payload! I don't know what is answering on port 443 on the web
> servers, but for the life of me I can't find anything on them that looks
> like it's a virus or a worm or a troglodite or anything!
>
>
> > If this worm runs over SSL, as you say, then wouldn't
> > you expect it to be encrypted?
>
> Whatever ssl is, I don't know but it's using the so-called "ssl" port on
the
> web servers. I don't think it has anything to do with whatever ssl was
back
> in the old days of UNIX. It has a lower port number and that means it's an
> older port! Probably from the 1970s!
>
> Besides, why should I see any encrypted traffic on any port other than
SSH?
> I don't expect to see encryption on anything other than the SSH port 22
> (which is a very old port).
>
>
> > Regardless, there isn't any information in your post
> > that clearly shows that this worm infects both Windows
> > and Unix hosts.  In fact, one thing that does seem
> > clear in your post is that you haven't collected any
> > information from the "infected" hosts, but rather all
> > you've got so far is network traffic via
> > Ethereal...and to be honest, any worm running over SSL
> > is going to be encrypted...
>
> But this port 443 is not SSH! Why should it be encrypted? And what is this
> "ssl" thing? I've been in IT for many years and I am now IT Director here
at
> the bank... I would think that I would know what "ssl" would be. I don't
> think this worm has anything to do with whatever "ssl" is. Does anybody
even
> still use ssl? That's probably why the hackers chose it.
>
>
> P.S. Check out my bloglog, Harlan!
>
> --------
> Mr. Billy B. Bilano, MSCE, CCNA
> <http://www.bilano.biz/>
> Expert Sysadmin Since 2003!
> 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html