[ISN] Limpninja Trojan horse emerges

From: InfoSec News (isnat_private)
Date: Wed Nov 14 2001 - 23:28:33 PST

  • Next message: InfoSec News: "[ISN] Report: Business fails on global security"

    Forwarded from: Justin Lundy <jblat_private>
    Limpninja Trojan horse emerges
    By James Middleton
    Security watchers are speculating that hackers familiar with the ways
    of the ninja may be attempting to construct a distributed denial of
    service (DDos) network on compromised Secure Shell Hosts (SSHs).
    Threads on security newsgroups have suggested that hackers may be
    breaking into Linux boxes running the SSH1 protocol, using a known
    vulnerability in the SSH CRC32 (cyclic redundancy checksum) that was
    published late last month.
    Writing on the BugTraq security mailing list yesterday William
    Salusky, of security firm DMZS, said: "It appears that someone may be
    building up a network of [potential] DDos hosts."
    He explained that he had discovered a compromised Red Hat box that was
    being used as a central host for other 'zombie' machines, although it
    is not yet clear how the central server communicates with the zombies.
    Apparently the attacker manually installed an IRC server, which was
    communicating with more than 120 other host machines.
    The communication channel was called 'kujikiri', a method of esoteric
    teaching used by the ninja, and the channel key was tagged
    'ninehandscutting', an ancient ninjitsu hand movement.
    Apparently all hosts communicating with the central server were
    logging on using identification names prefixed with 'ninja'.
    According to experts, the Trojan program installed in the attack does
    not match any signatures identified so far and, if it is new, Salusky
    has already christened it 'Limpninja'.
    Also last week attackers operating from network blocks in The
    Netherlands used the same exploit to break into another Red Hat box on
    the University of Washington network. Once inside the server the
    attackers installed Trojan horses and the machine was set up to scan
    for other vulnerable hosts.
    According to Dave Dittrich, of the computing and communications
    department of the University, 25,386 unique hosts were scanned over a
    number of days and 1,244 vulnerable hosts were identified, although
    only four were thought to be compromised.
    As of yet there is no evidence to tie the University hack to previous
    'ninja' attacks although the incident suggests that there are still a
    number of vulnerable machines out there.
    A Computer Emergency Response Team warning about the SSH1
    vulnerability, which allows a remote attacker to execute arbitrary
    code with the privileges of the SSH daemon (typically root), can be
    found here:
    "Paper money eventually returns to its intrinsic value - zero." -Voltaire       
    HTTP: www.subterrain.net/~jbl/ % GPG key: www.subterrain.net/~jbl/jbl.gpg       
    %% GPG key fingerprint: 7F63 6DF4 B2F8 31F7 5219 8E0B 602F C8C8 D77E FFDF
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 15 2001 - 01:02:41 PST