|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] new linux malware
From: val smith (mvalsmith
gmail.com)
Date: Wed Feb 22 2006 - 16:04:18 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Oops sorry, I mispelled. its Pedro not Pablo. Sorry!
V.
On 2/21/06, val smith <mvalsmithgmail.com> wrote:
>
> Those strings look very much like the kaiten stuff I just anlayzed for
> Pablo Bueno's malware challenge thing. Relevent info is on
> OffensiveComputing as well as a full analysis in pdf form. (requires that
> you login to see the post)
>
> V.
>
> On 2/18/06, Gadi Evron <gelinuxbox.org> wrote:
> >
> > Today, we received a notification about a new Linux malware ItW (In the
> > Wild).
> >
> > Chas Tomlin (http://www.ecs.soton.ac.uk/~cet/<http://www.ecs.soton.ac.uk/%7Ecet/>)
> > provided Shadowserver
> > ( http://www.shadowserver.org/) and Nicholas Alright who notified the
> > relevant operational communities, with the information on the binaries.
> > He captured them with squil (http://sguil.sourceforge.net/ ).
> >
> > Chas is working with Shadowserver to identify better ways to
> > trackdown/takedown botnets.
> >
> > *The credit should go to him and Shadowserver*.
> >
> > Shadowserver has been a responsible and essential part of recent
> > Internet security activities.
> >
> > As anti virus vendors have been notified will soon do a write-up on it,
> > I see no reason not to publicize it here.
> >
> > MD5:
> > c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq
> > e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session
> >
> > We are not quite sure as of yet exactly what this does, it can be a
> > Linux virus, a Linux Trojan horse, a Linux worm... we are not even sure
> > if the checksums above are useful at all. We hope to know more soon and
> > we will update as we do.
> >
> > There are some interesting strings to be noted:
> >
> > NOTICE %s :TSUNAMI <target> <secs> = Special
> > packeter
> > that wont be blocked by most firewalls
> > NOTICE %s :PAN <target> <port> <secs> = An
> > advanced syn
> > flooder that will kill most network drivers
> > NOTICE %s :UDP <target> <port> <secs> = A udp
> > flooder
> > NOTICE %s :UNKNOWN <target> <secs> = Another
> > non-spoof udp flooder
> > NOTICE %s :NICK <nick> = Changes
> > the nick
> > of the client
> > NOTICE %s :SERVER <server> = Changes
> > servers
> > NOTICE %s :GETSPOOFS = Gets the
> > current
> > spoofing
> > NOTICE %s :SPOOFS <subnet> = Changes
> > spoofing
> > to a subnet
> > NOTICE %s :DISABLE = Disables
> > all
> > packeting from this client
> > NOTICE %s :ENABLE = Enables
> > all
> > packeting from this client
> > NOTICE %s :KILL = Kills the
> > client
> > NOTICE %s :GET <http address> <save as> = Downloads
> > a file
> > off the web and saves it onto the hd
> > NOTICE %s :VERSION = Requests
> > version
> > of client
> > NOTICE %s :KILLALL = Kills all
> > current packeting
> > NOTICE %s :HELP = Displays
> > this
> > NOTICE %s :IRC <command> = Sends this
> > command to the server
> > NOTICE %s :SH <command> = Executes a
> > command
> >
> > 'session', current detection:
> > AntiVir 6.33.1.50/20060218 found [BDS/Katien.R]
> > Avast 4.6.695.0/20060216 found nothing
> > AVG 718/20060217 found nothing
> > Avira 6.33.1.50/20060218 found [BDS/Katien.R]
> > BitDefender 7.2/20060218 found nothing
> > CAT-QuickHeal 8.00/20060216 found nothing
> > ClamAV devel-20060126/20060217 found nothing
> > DrWeb 4.33/20060218 found nothing
> > eTrust-InoculateIT 23.71.80/20060218 found nothing
> > eTrust-Vet 12.4.2086/20060217 found nothing
> > Ewido 3.5/20060218 found nothing
> > Fortinet 2.69.0.0/20060218 found nothing
> > F-Prot 3.16c/20060217 found nothing
> > Ikarus 0.2.59.0/20060217 found [Backdoor.Linux.Keitan.C]
> > Kaspersky 4.0.2.24/20060218 found [Backdoor.Linux.Keitan.c]
> > McAfee 4700/20060217 found [Linux/DDoS-Kaiten]
> > NOD32v2 1.1413/20060217 found nothing
> > Norman 5.70.10/20060217 found nothing
> > Panda 9.0.0.4/20060218 found nothing
> > Sophos 4.02.0/20060218 found nothing
> > Symantec 8.0/20060218 found [Backdoor.Kaitex]
> > TheHacker 5.9.4.098/20060218 found nothing
> > UNA 1.83/20060216 found nothing
> > VBA32 3.10.5/20060217 found nothing
> >
> > 'derfiq' current detection:
> > AntiVir 6.33.1.50/20060218 found [Worm/Linux.Lupper.B]
> > Avast 4.6.695.0/20060216 found nothing
> > AVG 718/20060217 found nothing
> > Avira 6.33.1.50/20060218 found [Worm/Linux.Lupper.B]
> > BitDefender 7.2/20060218 found nothing
> > CAT-QuickHeal 8.00/20060216 found nothing
> > ClamAV devel-20060126/20060217 found nothing
> > DrWeb 4.33/20060218 found nothing
> > eTrust-InoculateIT 23.71.80/20060218 found nothing
> > eTrust-Vet 12.4.2086/20060217 found nothing
> > Ewido 3.5/20060218 found nothing
> > Fortinet 2.69.0.0/20060218 found nothing
> > F-Prot 3.16c/20060217 found nothing
> > Ikarus 0.2.59.0/20060217 found [Net-Worm.Linux.Lupper.B]
> > Kaspersky 4.0.2.24/20060218 found nothing
> > McAfee 4700/20060217 found nothing
> > NOD32v2 1.1413/20060217 found nothing
> > Norman 5.70.10/20060217 found nothing
> > Panda 9.0.0.4/20060218 found nothing
> > Sophos 4.02.0/20060218 found nothing
> > Symantec 8.0/20060218 found [Hacktool]
> > TheHacker 5.9.4.098/20060218 found nothing
> > UNA 1.83/20060216 found nothing
> > VBA32 3.10.5/20060217 found nothing
> >
> > This write-up can be found here:
> > http://blogs.securiteam.com/index.php/archives/303
> >
> > We will notify as we get new updates here:
> > http://blogs.securiteam.com
> >
> > Gadi.
> >
> > --
> > http://blogs.securiteam.com/
> >
> > "Out of the box is where I live".
> > -- Cara "Starbuck" Thrace, Battlestar Galactica.
> >
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]