Full Disclosure mailing list archives
Re: new linux malware
From: "GroundZero Security" <fd () g-0 org>
Date: Sun, 19 Feb 2006 05:44:21 +0100
oh my god this is a stone old DoS irc bot. you can find the source on packetstorm :P its by no means "new" maybe it has been modified by some kid that changed the printf()'s, but this is no news at all. -sk http://www.groundzero-security.com ----- Original Message ----- From: "Gadi Evron" <ge () linuxbox org> To: <bugtraq () securityfocus com> Cc: <full-disclosure () lists grok org uk> Sent: Saturday, February 18, 2006 11:40 PM Subject: [Full-disclosure] new linux malware
Today, we received a notification about a new Linux malware ItW (In the Wild). Chas Tomlin (http://www.ecs.soton.ac.uk/~cet/) provided Shadowserver (http://www.shadowserver.org/) and Nicholas Alright who notified the relevant operational communities, with the information on the binaries. He captured them with squil (http://sguil.sourceforge.net/). Chas is working with Shadowserver to identify better ways to trackdown/takedown botnets. *The credit should go to him and Shadowserver*. Shadowserver has been a responsible and essential part of recent Internet security activities. As anti virus vendors have been notified will soon do a write-up on it, I see no reason not to publicize it here. MD5: c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session We are not quite sure as of yet exactly what this does, it can be a Linux virus, a Linux Trojan horse, a Linux worm... we are not even sure if the checksums above are useful at all. We hope to know more soon and we will update as we do. There are some interesting strings to be noted: NOTICE %s :TSUNAMI <target> <secs> = Special packeter that wont be blocked by most firewalls NOTICE %s :PAN <target> <port> <secs> = An advanced syn flooder that will kill most network drivers NOTICE %s :UDP <target> <port> <secs> = A udp flooder NOTICE %s :UNKNOWN <target> <secs> = Another non-spoof udp flooder NOTICE %s :NICK <nick> = Changes the nick of the client NOTICE %s :SERVER <server> = Changes servers NOTICE %s :GETSPOOFS = Gets the current spoofing NOTICE %s :SPOOFS <subnet> = Changes spoofing to a subnet NOTICE %s :DISABLE = Disables all packeting from this client NOTICE %s :ENABLE = Enables all packeting from this client NOTICE %s :KILL = Kills the client NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd NOTICE %s :VERSION = Requests version of client NOTICE %s :KILLALL = Kills all current packeting NOTICE %s :HELP = Displays this NOTICE %s :IRC <command> = Sends this command to the server NOTICE %s :SH <command> = Executes a command 'session', current detection: AntiVir 6.33.1.50/20060218 found [BDS/Katien.R] Avast 4.6.695.0/20060216 found nothing AVG 718/20060217 found nothing Avira 6.33.1.50/20060218 found [BDS/Katien.R] BitDefender 7.2/20060218 found nothing CAT-QuickHeal 8.00/20060216 found nothing ClamAV devel-20060126/20060217 found nothing DrWeb 4.33/20060218 found nothing eTrust-InoculateIT 23.71.80/20060218 found nothing eTrust-Vet 12.4.2086/20060217 found nothing Ewido 3.5/20060218 found nothing Fortinet 2.69.0.0/20060218 found nothing F-Prot 3.16c/20060217 found nothing Ikarus 0.2.59.0/20060217 found [Backdoor.Linux.Keitan.C] Kaspersky 4.0.2.24/20060218 found [Backdoor.Linux.Keitan.c] McAfee 4700/20060217 found [Linux/DDoS-Kaiten] NOD32v2 1.1413/20060217 found nothing Norman 5.70.10/20060217 found nothing Panda 9.0.0.4/20060218 found nothing Sophos 4.02.0/20060218 found nothing Symantec 8.0/20060218 found [Backdoor.Kaitex] TheHacker 5.9.4.098/20060218 found nothing UNA 1.83/20060216 found nothing VBA32 3.10.5/20060217 found nothing 'derfiq' current detection: AntiVir 6.33.1.50/20060218 found [Worm/Linux.Lupper.B] Avast 4.6.695.0/20060216 found nothing AVG 718/20060217 found nothing Avira 6.33.1.50/20060218 found [Worm/Linux.Lupper.B] BitDefender 7.2/20060218 found nothing CAT-QuickHeal 8.00/20060216 found nothing ClamAV devel-20060126/20060217 found nothing DrWeb 4.33/20060218 found nothing eTrust-InoculateIT 23.71.80/20060218 found nothing eTrust-Vet 12.4.2086/20060217 found nothing Ewido 3.5/20060218 found nothing Fortinet 2.69.0.0/20060218 found nothing F-Prot 3.16c/20060217 found nothing Ikarus 0.2.59.0/20060217 found [Net-Worm.Linux.Lupper.B] Kaspersky 4.0.2.24/20060218 found nothing McAfee 4700/20060217 found nothing NOD32v2 1.1413/20060217 found nothing Norman 5.70.10/20060217 found nothing Panda 9.0.0.4/20060218 found nothing Sophos 4.02.0/20060218 found nothing Symantec 8.0/20060218 found [Hacktool] TheHacker 5.9.4.098/20060218 found nothing UNA 1.83/20060216 found nothing VBA32 3.10.5/20060217 found nothing This write-up can be found here: http://blogs.securiteam.com/index.php/archives/303 We will notify as we get new updates here: http://blogs.securiteam.com Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- new linux malware Gadi Evron (Feb 18)
- Re: new linux malware GroundZero Security (Feb 18)
- Re: new linux malware Gadi Evron (Feb 18)
- Re: new linux malware GroundZero Security (Feb 18)
- Re: new linux malware Gadi Evron (Feb 18)
- Re: new linux malware Gadi Evron (Feb 18)
- Re: new linux malware GroundZero Security (Feb 18)
- Re: new linux malware Marco Monicelli (Feb 20)
- Re: new linux malware Gadi Evron (Feb 20)