Re: Strange segmentation faults and Zombies

[Michel Messerschmidt <lists@michel-messerschmidt.de>]

On Thu, Sep 18, 2003 at 07:20:08PM +0200, Javier Fernández-Sanguino Peña wrote:
> > www.slacks.hpg.ig.com.br/bin/rh  Infection: Unix/Osf.A
> 
> This is an exploit to an OpenSSL bug.
> 
> > www.slacks.hpg.ig.com.br/bin/mass  Infection: Unix/Osf.A
> 
> This is a 'massive' scanner
> 
> > www.slacks.hpg.ig.com.br/bin/co1  Infection: Unix/Osf.A
> 
> This is another OpenSSL exploit (written in Portuguese)
> 
> > www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/makesalt  Infection: 
> > Unix/Osf.A
> > www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/psybnc  Infection: 
> > Unix/Osf.A 
> 
> Both of these are programs to setup IRC daemons and relays IIRC. See:
> http://www.honeynet.org/scans/scan28/
> 
> > 
> > But AFAIK none of these viruses is able to get root rights, so the attacker 
> > must have got root rights before.
> 
> Well, they are not virus themselves. The fact that f-prot labels them as
> such is that they usually are part of some massrooter, worm or trojan, but
> they can be (and are) used independently.

Be careful!
These files are really infected and will infect other ELF binaries if
you execute them (and if user rights allow it). 
I've done replication tests for all of them to confirm this.

Michel


PS: Non-viral malware is usally reported differently by f-prot 
    (eg. as "is a security risk or a backdoor program")
-- 
Michel Messerschmidt           lists@michel-messerschmidt.de
antiVirusTestCenter, Computer Science, University of Hamburg