Re: I'm new here, and I already have something to share

[Jack Johnson <jack () mail umbrellix tk>]

Sorry, I don't actually have a sample, I was just once infected with it.
Thank you for your concern.

Źmicier Januszkiewicz wrote:
> Hi Jack,
>
> Care to share a sample of this one?
>
> Cheers,
> Z.
>
> 2013/11/7 Jack Johnson <jack () mail umbrellix tk>:
> > It is a user friendly report about a new worm/rootkit (only goes into worm
> > mode when UUCP is active) that is able to, but has not yet, wreaked havoc on
> > any system that it infects.
> >
> > This report does drop dox, since it mentions the handle of an EFNet user.
> > However, all it is
> > is a description of a currently-active rootkit.
> >
> > Xplatform.JPreskit rootkit
> >
> > User friendly report written by Jack Johnson
> > 'j4jackj' on EFNet
> >
> >          DESCRIPTION
> > This newest infection is a rootkit spread by weak passwords and duff links.
> > It was made by an EFNetter called JPres. He originally developed it on the
> > BeOS
> > but it is able to strike every operating system that has actual use in the
> > world.
> >
> >          THREAT LEVEL
> > This threat is terminal, for once a computer is infected, if you isolate it,
> > the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard disk
> > on which /
> > resides.
> >
> > It is able to infect Windows ia32 and amd64 architectures, Debian and RHEL
> > 32 and 64,
> > and the BeOS, PowerPC and Intel.
> >
> > Threat activation is manually, by an unsuspecting user or by the master
> > using a weak
> > password via SSH and RSH.
> >
> >          PAYLOAD DELIVERY
> > Payload delivery once the rootkit is on the computer is by Pastebin.com.
> > Payloads are encrypted and base64 encoded. It is unknown which encryption
> > method
> > from those available in a default (insert form of UNIX here) install is
> > used.
> >
> > The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a
> > serial number determining the time of execution, and tag is the
> > tag of the rooted machine.
> >
> >          BEHAVIOUR
> > On UNIX systems, when UUCP is enabled, this rootkit is also a worm.
> > This rootkit/worm is able to morph by the master issuing commands to the
> > worm.
> >
> >          RECOMMENDED ACTION
> > You must back up and reinstall. This rootkit may still be present after a
> > reinstall,
> > if you moved your files to the new installation.
> >
> >          PREVENTION
> > In the future, do not allow anonymous SSH into your computer, unless for
> > things like UUCP.
> > This will prevent future reinfection.
> >
> > Thank you for reading this report as a matter of urgency.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/