Is Linux really prone to virus like M$ Windozes?
I know some say not to bother with AV Product but I have been using Bitdfender and really like it better then ClamAv. Bit-defender almost runs like MS Win Version. Actually runs in background,preload AV Engines at startup,drop zone. A lot better then CalmAV as far as I see.Well I know there is known virus/worms, male-ware that DO find ways in to Linux.So as mainstream it gets there will be hackers and cracks to get maleware into linux as time goes it wont be safe in any system or game consoles out there.As for now these are well know out there for Linux,
Think Safety First always.....Nothing is safe unless you monitor and do checks in your systems.
============
Linux.Worm.Slapper.
Discovered: 2002 Sep 24 (A-2002 Sep 16 D- 2006 Feb 21
SYMPTOMS:
- File /tmp/.cinik, /tmp/.cinik.
- File /tmp/.unlock.
- directory /tmp/.font-unix/
- Message "foo" …
-Variant A
- files "/tmp/.bugtraq" and "/tmp/.bugtraq.
- a process ".bugtraq" running (the executable worm);
- UDP port 2002 open.
- files "/tmp/.bugtraq" and "/tmp/.bugtraq.
- a process ".bugtraq" running (the executable worm);
- UDP port 2002 open.
-Variant D
Presence of file “listen.log†in the same directory with the virus.
Port 27015 on UDP is opened.
Increase of CPU usage due to the many outgoing TCP connections on port 80.
TECHNICAL DESCRIPTION:
Linux.Worm.Slapper.
Internet worm that exploits a vulnerability in the OpenSSL implementation of the Secure Sockets Layer protocol - sending a malformed client key in an SSL request may cause a buffer overrun and run code of the attacker\'s choice on the server; more detailed information regarding this vulnerability (discovered in July 2002) is available in the document http://www.openssl.
The worm scans for vulnerable computers in the network having IP's in the form a.b.c.d, where 'a' and 'b' are chosen randomly ('a' is limited to one of 162 possible values in the range 3 to 239) and 'c' and 'd' are iterated through all possible values. For every scanned IP, the worm tries to establish a HTTP connection in order to query the operating system and see whether a vulnerable version of the Apache server is running (Gentoo, Debian, Red-Hat, SuSE, Mandrake and Slackware operating systems, and several versions of Apache 1.3.xx are currently "supported" by the worm; a default configuration of Red-Hat Linux running Apache 1.3.23 is assumed if none of the hardcoded ones is detected).
The worm will attempt (a maximum of 20 times, with 0.1 seconds between retries) to connect to the possibly-vulnerable computer's default SSL port (443) and send it a malformed string that will cause a buffer overrun and will run the embedded x86 machine-code; this code sequence uses INT 80h system calls to access Linux kernel services and invoke the shell (with redirected output for "silent" execution) in order to perform the following actions:
- save an encrypted (uu-encoded) copy of the worm's C source-code in "/tmp/.uubugtraq"
- decrypt it to "/tmp/.bugtraq.
- compile the source to "/tmp/.bugtraq"
- run the generated executable with the sender machine's IP as a command-line argument.
(The sequence includes selected code for the determined Linux/Apache configuration.
This mechanism of sending the source code (C program) and compiling it on the target machine ensures the worm's portability on many distributions of Linux.
Besides replicating to other computers in the network as described, the worm listens to UDP port 2002 for (encrypted) messages, providing the following functions:
- direct communication with another infected machine;
- relaying a data packet to another infected machine;
- broadcasting a data packet to all infected machines;
- running a command on the machine;
- initiate a distributed denial-of-service attack on a machine (using UDP / TCP / IPv6 TCP connections, or DNS requests for the domain name servers).
This backdoor-like behaviour compromises the local machine's and the network's security and functionality.
These are 2 variants of Linux.Worm.Slapper.
- 1978 - variant B
- 4156 - variant C
The B variant sends a notification mail-message to address cinik_worm@yahoo.
The C variant contains another backdoor (.update.c and update) which connects on the port 1052. To be used, the backdoor requires a password to be given. Also the virus sends a notification to aion@ukr.net.
In conclusion, analyzing the source codes, these variants were modified by a 24 years old Romanian (variant B) and a 21 years old Ukrainean (variant C).
-Variant D
This worm is compiled with gcc. The virus scans for port 80 on random IP addresses. If one of these computers has a XML-RPC for PHP Remote Code Injection vulnerability (Bugtraq ID 14088 , http://mamboserver.
Once a computer is infected , the worm send a notification message (via UDP) on attacker server , port 25555. The worm opens 500 TCP conections at once while scanning for vulnerability on hosts. This increses CPU usage (many syncronize conections (SYN) can be seen using "netstat" linux application)
The worm also tries to download itself on victim computer (using php/xml vulnerabilities) from the following address http://209.123.
Not really liunx but may get through Wine. As there is servral win32 virus out there to mention but this trojan may find its way in wine.
So note ine can catch these possibly so beware.
Trojan.Peed.
Spreading-Damage:
SYMPTOMS:
Computer slow-downs,increase
Presence of the specified files and registry entries.
TECHNICAL DESCRIPTION:
When started, the malware copies itself to the following location:
%windows%\[malware_
It creates the following registry entry:
HKCU\Microsoft\
A few examples of [malware_name] are:
"msserv"
"msssecurity"
It synchronizes the current computer time by executing the following commands:
w32tm.exe /config /synffromflags:
w32tm.exe /config /update
The malware adds itself as a Windows Firewall exception by executing the following command:
netsh firewall set allowedprogram %windows%\[malware_
The virus registers the compromised computer as a peer in its malware network and uses a randomly chosen UDP port to communicate with the other peers. It also sends to its network an unique ID for the compromised computer from the registry key:
HKLM\Microsoft\
It drops a list of the initial peers to the configuration file:
%windows%\[malware_
The malware updates this list by communicating with url-s like:
cadeaux-avenu[
The malware also has backdoor capabilities and can perform actions like:
- send spam emails by using its SMTP engine
- send system information from the compromised computer
- download and execute other malware
- update itself
It searches email addresses from files with the following extensions:
".wab"".txt"
It does not send spam emails to email addresses that contain the following strings:
"@microsoft"
"info@""nobody@
Examples of sent emails:
Subject: Well done 4th!
Content-Type: text/plain; charset=ISO-
Content-Transfer-
American Independence Day http://69.251.[hide]/
Subject: Amazing Independence Day show
Content-Type: text/plain; charset=ISO-
Content-Transfer-
Stars and Strips forever http://68.90.
Some of sent emails' subjects are:
Amazing firework 2008 Amazing Independence Day salute
Amazing Independence Day show America for You and Me
America the Beautiful American Independence Day
Bright and joyful Fourth of July Celebrate Independence
Celebrate the spirit of America Celebrate with Pride
Celebrating Fourth of July Celebrating the Glory of our Nation
Celebrating the spirit of our Country Celebrations have already begun
Fabulous Independence Day firework God bless America
Happy Birthday, America! Happy Fourth of July
Happy Independence Day Home of the Brave Independence Day firework broke all records Just You Light up the sky Long Live America
Proud to be an American S America the Beautiful S Happy Fourth of July
S Stars and Strips forever Sparkling Celebration of Independence Day
Spectacular fireworks show Stars and Strips forever Super 4th!
The best firework you've ever seen The best of 4th of July Salute
Time for Fireworks Well done 4th!You Stay In My Heart
Some of the ip-s used in the email body:
12.173.3.17\
207.244.171.
24.13.166.252\
24.165.150.180\
24.242.213.72\
\66.108.212.
\67.185.246.
\67.65.218.142\
\68.186.95.152\
\69.0.75.77\
\69.251.31.74\
As far as now Linux still safe cause it takes more work to make Virus,Trojan,
No comments:
Post a Comment