Limpninja Trojan horse emerges

[InfoSec News <isn () c4i org>]

Forwarded from: Justin Lundy <jbl () subterrain net>

http://www.vnunet.com/News/1126812

Limpninja Trojan horse emerges
By James Middleton
11-13-2001

Security watchers are speculating that hackers familiar with the ways
of the ninja may be attempting to construct a distributed denial of
service (DDos) network on compromised Secure Shell Hosts (SSHs).

Threads on security newsgroups have suggested that hackers may be
breaking into Linux boxes running the SSH1 protocol, using a known
vulnerability in the SSH CRC32 (cyclic redundancy checksum) that was
published late last month.

Writing on the BugTraq security mailing list yesterday William
Salusky, of security firm DMZS, said: "It appears that someone may be
building up a network of [potential] DDos hosts."

He explained that he had discovered a compromised Red Hat box that was
being used as a central host for other 'zombie' machines, although it
is not yet clear how the central server communicates with the zombies.

Apparently the attacker manually installed an IRC server, which was
communicating with more than 120 other host machines.

The communication channel was called 'kujikiri', a method of esoteric
teaching used by the ninja, and the channel key was tagged
'ninehandscutting', an ancient ninjitsu hand movement.

Apparently all hosts communicating with the central server were
logging on using identification names prefixed with 'ninja'.

According to experts, the Trojan program installed in the attack does
not match any signatures identified so far and, if it is new, Salusky
has already christened it 'Limpninja'.

Also last week attackers operating from network blocks in The
Netherlands used the same exploit to break into another Red Hat box on
the University of Washington network. Once inside the server the
attackers installed Trojan horses and the machine was set up to scan
for other vulnerable hosts.

According to Dave Dittrich, of the computing and communications
department of the University, 25,386 unique hosts were scanned over a
number of days and 1,244 vulnerable hosts were identified, although
only four were thought to be compromised.

As of yet there is no evidence to tie the University hack to previous
'ninja' attacks although the incident suggests that there are still a
number of vulnerable machines out there.

A Computer Emergency Response Team warning about the SSH1
vulnerability, which allows a remote attacker to execute arbitrary
code with the privileges of the SSH daemon (typically root), can be
found here:

http://www.kb.cert.org/vuls/id/945216


-- 
"Paper money eventually returns to its intrinsic value - zero." -Voltaire       
HTTP: www.subterrain.net/~jbl/ % GPG key: www.subterrain.net/~jbl/jbl.gpg       
%% GPG key fingerprint: 7F63 6DF4 B2F8 31F7 5219 8E0B 602F C8C8 D77E FFDF



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.