heads up: worm on the loose

From: david evlis reign (davidreignat_private)
Date: Thu Feb 14 2002 - 01:44:11 PST

Next message: Nick FitzGerald: "Re: New MSN Messenger Worm"

Previous message: Alan Thew: "new SunOS 5 rootkit? (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi,
this is my first post and i am sorry that i had to be the bearer of bad 
news.
while doing my monthly audit today on my company's external boxes (gateways, 
external mail forwarders/...) i came across some *strang* files, which after 
inspection turned out to be source code to a new internet worm...
the headers are as follows:

/*** Skelleton for an INET-worm. Plug-in the exploitcode and the
*** scan-routine and it works!
*** You propably have to change the sleep-seconds from 10 to a higher value.
*** Worms must be linked statically in this case.
*** For educational purposes only! Don't use it in a bad manner.
***/

in fact the exploitcode was a ssh exploit by someone going by the name of 
"zip" and inspecting the source of this "skelleton" worm it seems it is 
cross platform, harbouring shellcode for *bsd, linux and solaris. i was 
totally dismayed and i saved a copy of this and another file, then i 
reformatted...i was not going to let my mail server be used to launch 
attacks on sites.
the other file in which i found was not a worm but a "autorooter" for ssh, 
as ssh-1.2.26 was running on a mail server out of my audit space, the 
attackers had obviously abused a trusted relationship.
the headers are as follows:

a kernerl module:
//
// (ssmod.c) by _dave
//
// Kernel module that bypasses the password check on the x2
// sshd crc32 exploit.
//
// gcc -c -O3 ssmod.c -I/usr/src/linux/include
// /sbin/insmod ssmod.o
//

a scanning module:
/*
** pscan.c - Originally by Volatile
** modified by _dave
**
*/

another file, i am not sure what this does
/* oops.c, part of the autossh package... by _dave */
/* nodupe2.c .... by _dave */
/* ssvuln.c */
/* by _dave */


as you can see this exploit is being exploited in the wild...i am too afraid 
to think of the possibilities if that "skelleton" is released.

i just hope i have got to the public in time...

- david evlis reign, PhD compsci, CCISP

ps: any further details will be provided to reserachers




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick FitzGerald: "Re: New MSN Messenger Worm"
Previous message: Alan Thew: "new SunOS 5 rootkit? (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 09:05:18 PST