Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: RE: Possible First Crypto Virus Definitely Discovered!

RE: Possible First Crypto Virus Definitely Discovered!

From: Rodrigo Gutierrez <rodrigo_at_intellicomp.cl>
Date: Tue, 8 Jun 2004 15:25:51 -0400

Has george bush become a security researcher? Htf people can answer to this
thread?... Is this GOOBLES AGAIN?

Rodrigo.-

-----Mensaje original-----
De: full-disclosure-admin_at_lists.netsys.com
[mailto:full-disclosure-admin_at_lists.netsys.com] En nombre de Meeusen,
Charles D
Enviado el: Martes, 08 de Junio de 2004 13:50
Para: full-disclosure_at_lists.netsys.com
Asunto: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!

"Men like me, we need a room full of clues"

--Doug.

-----Original Message-----
From: full-disclosure-admin_at_lists.netsys.com
[mailto:full-disclosure-admin_at_lists.netsys.com]On Behalf Of Harlan Carvey
Sent: Tuesday, June 08, 2004 12:40 PM
To: full-disclosure_at_lists.netsys.com
Cc: Billy B. Bilano
Subject: Re: [Full-disclosure] Possible First Crypto Virus Definitely
Discovered!

Bill,

>From your post, you don't seem to have a great deal of
detailed information to share about this issue...
 
> The virus works on port 443.

Wouldn't it then be, by definition, a worm?

> It seems to accept inbound connections on that port as well and,
> presumably, awaits for commands from some series of servers elsewhere.
> Perhaps taking orders?

What information do you have to support this assumption?

> I also captured some of the
> traffic and attempted to analyze it up but it looks like -- you heard
> it here first, folks -- the payload is encrypted!

If this worm runs over SSL, as you say, then wouldn't you expect it to be
encrypted?

> Is this the first of a coming
> storm of crypto viruses we've all been eagerly fearing?

Is it?
http://www.us-cert.gov/current/current_activity.html#pct

http://www.cert.org/advisories/CA-2002-27.html

To be totally honest, Bill, I don't see a great deal of information in your
post that supports any of your assertions/assumptions. If this thing is
spreading the way you say it is, then it's a worm.

Regardless, there isn't any information in your post that clearly shows that
this worm infects both Windows and Unix hosts. In fact, one thing that does
seem clear in your post is that you haven't collected any information from
the "infected" hosts, but rather all you've got so far is network traffic
via Ethereal...and to be honest, any worm running over SSL is going to be
encrypted...
 
> At any rate, this is your heads up, folks! You heard it here first! Be
> on the lookout for this first, very nasty CRYPTO VIRUS!

Thanks. Noted.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Jun 08 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]