Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

heads up: worm on the loose

From: "david evlis reign" <davidreign () hotmail com>
Date: Thu, 14 Feb 2002 09:44:11 +0000
hi,
this is my first post and i am sorry that i had to be the bearer of bad news. while doing my monthly audit today on my company's external boxes (gateways, external mail forwarders/...) i came across some *strang* files, which after inspection turned out to be source code to a new internet worm... 
the headers are as follows:

/*** Skelleton for an INET-worm. Plug-in the exploitcode and the
*** scan-routine and it works!
*** You propably have to change the sleep-seconds from 10 to a higher value.
*** Worms must be linked statically in this case.
*** For educational purposes only! Don't use it in a bad manner.
***/
in fact the exploitcode was a ssh exploit by someone going by the name of "zip" and inspecting the source of this "skelleton" worm it seems it is cross platform, harbouring shellcode for *bsd, linux and solaris. i was totally dismayed and i saved a copy of this and another file, then i reformatted...i was not going to let my mail server be used to launch attacks on sites. the other file in which i found was not a worm but a "autorooter" for ssh, as ssh-1.2.26 was running on a mail server out of my audit space, the attackers had obviously abused a trusted relationship. 
the headers are as follows:

a kernerl module:
//
// (ssmod.c) by _dave
//
// Kernel module that bypasses the password check on the x2
// sshd crc32 exploit.
//
// gcc -c -O3 ssmod.c -I/usr/src/linux/include
// /sbin/insmod ssmod.o
//

a scanning module:
/*
** pscan.c - Originally by Volatile
** modified by _dave
**
*/

another file, i am not sure what this does
/* oops.c, part of the autossh package... by _dave */
/* nodupe2.c .... by _dave */
/* ssvuln.c */
/* by _dave */
as you can see this exploit is being exploited in the wild...i am too afraid to think of the possibilities if that "skelleton" is released. 

i just hope i have got to the public in time...

- david evlis reign, PhD compsci, CCISP

ps: any further details will be provided to reserachers




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: