Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

I'm new here, and I already have something to share

From: Jack Johnson <jack () mail umbrellix tk>
Date: Wed, 06 Nov 2013 22:02:23 -0800
It is a user friendly report about a new worm/rootkit (only goes into worm mode when UUCP is active) that is able to, but has not yet, wreaked havoc on any system that it infects.
This report does drop dox, since it mentions the handle of an EFNet user. However, all it is 
is a description of a currently-active rootkit.

Xplatform.JPreskit rootkit

User friendly report written by Jack Johnson
'j4jackj' on EFNet

        DESCRIPTION
This newest infection is a rootkit spread by weak passwords and duff links.
It was made by an EFNetter called JPres. He originally developed it on the BeOS but it is able to strike every operating system that has actual use in the world. 

        THREAT LEVEL
This threat is terminal, for once a computer is infected, if you isolate it,
the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard disk on which / 
resides.
It is able to infect Windows ia32 and amd64 architectures, Debian and RHEL 32 and 64, 
and the BeOS, PowerPC and Intel.
Threat activation is manually, by an unsuspecting user or by the master using a weak 
password via SSH and RSH.

        PAYLOAD DELIVERY
Payload delivery once the rootkit is on the computer is by Pastebin.com.
Payloads are encrypted and base64 encoded. It is unknown which encryption method from those available in a default (insert form of UNIX here) install is used. 

The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a
serial number determining the time of execution, and tag is the
tag of the rooted machine.

        BEHAVIOUR
On UNIX systems, when UUCP is enabled, this rootkit is also a worm.
This rootkit/worm is able to morph by the master issuing commands to the
worm.

        RECOMMENDED ACTION
You must back up and reinstall. This rootkit may still be present after a reinstall, 
if you moved your files to the new installation.

        PREVENTION
In the future, do not allow anonymous SSH into your computer, unless for things like UUCP. 
This will prevent future reinfection.

Thank you for reading this report as a matter of urgency.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: