http://www.newsbytes.com/news/02/173408.html By Brian McWilliams, Newsbytes SEATTLE, WASHINGTON, U.S.A., 05 Jan 2002, 4:17 AM CST A new and more dangerous version of a remote-control virus that targets computers running the Linux operating system may be in the wild, but security experts do not expect the malicious code to spread widely. According to preliminary analyses, the virus appears to be a "smarter" variant of the Remote Shell Trojan (RST), discovered last September, that infects programs written for Linux, an alternative to Microsoft's Windows. Managed security provider Qualys obtained a copy of one new variant last month from an "outside source," according to Gerhard Eschelbeck, vice president of engineering. Qualys will release a detailed advisory, along with detection and cleaning tools next week for the new virus, which it has labeled RST.b. Like the initial RST, the new variant identified by Qualys is designed to infect binary files in the Linux Executable and Linking Format (ELF) and create a "back door" on an infected system that gives a remote attacker full control. But Eschelbeck said RST.b is more dangerous than its predecessor because it contains a payload that turns the infected machine into a network "sniffer" that enables the virus to identify and use any open port for communication. "The sniffer function allows the backdoor process to listen for any types of packets coming from any type of UDP port. This is an interesting but dangerous methodology we have not seen before," he said. Qualys' findings differ somewhat from a separate analysis of a new RST variant identified last month by an independent security researcher who uses the nickname Lockdown. According to Lockdown's analysis, the virus relies on the less common exterior gateway protocol (EGP) instead of the user datagram protocol (UDP). Lockdown said he discovered the virus on a "wargame box," a system used for hacking experiments. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 05:55:32 PST