OpenBCM V1.13 (Linux)

Packet Radio Mailbox

DB0FHN

[JN59NK Nuernberg]

 Login: GUEST





  
M1CUK  > INFO     21.09.02 18:33l 88 Lines 4000 Bytes #999 (0) @ WW
BID : 5F1924M1CUK
Read: DB0FHN GUEST
Subj: Linux Virus Update..
Path: DB0FHN<DB0ZWI<DB0HDF<DB0ERF<DB0FBB<DB0GOS<ON0AR<ON0AR<GB7FCR
Sent: 020921/1605Z @:GB7FCR.#16.GBR.EU #:16939 [Blackpool] FBB-7.03a $:5F1924M1
From: M1CUK@GB7FCR.#16.GBR.EU
To  : INFO@WW


*********************************************************************
New Linux Worm - ELF_SLAPPER.A (Low Risk)

************************************************************************

This Linux worm launches a distributed denial of service (DDoS) attack. It
uses the User Data Protocol (UDP) to execute the attack, and takes
advantage of a buffer overflow vulnerability in OpenSSL 0.9.6d,
0.9.7-beta2 and earlier versions. UDP is a protocol that allows
connections even to unstable machines, since it does not require error
checking.

Upon execution, it connects to a remote machine using the UDP protocol on
a specified port. It allows remote users to execute arbitrary code via a
large client master key in SSL2 or a large session ID in SSL3. This
exploit appears to determine how this worm attacks a host based on the
information returned by the server on itself and its version. 

This worm links by providing each machine with a list of available
machines. Using a technique called broadcast segmentation combined with
TCP-like functionality, this worm ensures that another machine on the
network receives the broadcast packet, which it then segments again.
Thereafter, it recreates the packet and sends it to other hosts. 

This worm attempts to connect to Port 80. Once connected, it sends an
invalid GET request to a server to identify whether the machine is an
Apache system. Once it finds an Apache system, it attempts to connect to
port 443 and sends the exploit code to the listening SSL service on the
remote system. 

It arrives on the target system as a source code with the filename
".bugtraq.c". It uses a Linux shell code exploit that runs only on Intel
systems. In order for the code to execute properly, it requires the
presence of the shell command /bin/sh. It recompiles itself on each new
system. The binary code generated after compilation is executed with an IP
address as a parameter. This IP address is the address of the attacking
machine and is used to create a network of worm infected systems, which
would launch the distributed denial of service attack. 

If you would like to scan your computer for ELF_SLAPPER.A or thousands of
other worms, viruses, Trojans and malicious code, visit HouseCall, Trend
Micro's FREE online virus scanner at: http://housecall.antivirus.com/
        ****
------------------------------------------------------------------------
10 Most Prevalent In-the-Wild Malware Surveyed by Trend Micro US 
(week of: September 9, 2002 to September 15, 2002)
------------------------------------------------------------------------

1. WORM_KLEZ.H
2. PE_MAGISTR.B
3. JS_EXCEPTION.GEN
4. JS_NOCLOSE.E
5. BKDR_SUB7.22A
6. WORM_YAHA.E
7. VBS_LOVELETTR.AS
8. TROJ_ULTIMAX.B
9. JS_NOCLOSE.A
10. WORM_DATOM.A

------------------------------------------------------------------------
Current Virus Trends - A Few New Faces
------------------------------------------------------------------------

WORM_KLEZ.H is still the major threat concerning Trend Micro users, as it
remains on track to be the top virus of the year 2002. Some users report
concerns over HTML-based malware such as JS_NOCLOSE and JS_EXCEPTION which
are associated with browsing disreputable commercial Web sites. Last
week's WORM_CHET.A virus grabbed news coverage due to its connection with
the events of last September 11th, but had no impact on users as it was
crippled by coding flaws which largely prevented its spread. The
ELF_SLAPPER.A Internet worm emerged on Friday the 13th as potentially
serious malware, but incidents are limited as it targets only Web servers
running Linux. 

-------------------------------------------------------------------------

73's 
   Trev, m1cuk@gb7fcr.#16.gbr.eu
   SysOp gb7fcr
   ax25 - tcp/ip - telnet - axip - RF & Internet Linked System's
   Located in Blackpool, Lancashire, On the North West Coast of the UK	
   Message timed: 17:07 on 21 Sep 02
   Message sent using WinPack-Telnet V6.80


Read previous mail | Read next mail


 08.07.2026 20:19:45lGo back Go up