Bugtraq mailing list archives
Re: r00t advisory -- Sunny Day Virus
From: eric () sendmail org (Eric Allman)
Date: Mon, 26 Aug 1996 17:43:02 -0700
I've been discussing this with others, notably Casper Dik. As near as we can tell, this is a human engineering attack. If anyone has any information to the contrary, I would like to hear it. eric ============= In Reply To: =========================================== : From: Jared Mauch <jared () wolverine hq cic net> : Subject: Re: r00t advisory -- Sunny Day Virus : Date: Mon, 26 Aug 1996 19:26:20 -0400 (EDT) : This one can't be for real. : : If you downgrade to sendmail 8.6.9 or earlier, you are opening : yourself to a more broad variety of hacks that can be made against your : system. : : I would not do it. Certainly if it is possible, I'd like to see : how it does it, but due to the syslog hole, later versions of sendmail : do strict bounds checking. I can't see this being a security : issue. : : - jared : : Gregory Hull graced my mailbox with this long sought knowledge: : > r00t VIRUS advisory [ Sunny Day Virus ] : > : > -- Synposis : > This is the first known, widely distributed virus, for SunOS/Solaris : > machines running on SPARCstations and SPARC clones. The virus runs as root : > and corrupts various critical kernel tables at seemingly random intervals. : > : > The virus is believed to enter machines through various holes in sendmails : > version 8.6.9 + (Including the 8.7.x line of sendmail). Once having entere d : > a system the virus mutates as it infects each file. : > : > -- Detecting the virus : > The virus does leave noticeable trails. At hourly intervals it will make a : > random /usr/bin binary suid root. Upon each chmod 4755 it performs the las t : > program it 4755'd will be restored to it's orginal permissions. : > : > -- Removing the virus : > r00t recommends a complete OS reinstallation. : > : > -- Preventing the virus : > The virus can be prevented by downgrading to a version of sendmail older th an : > 8.6.9 or by not running sendmail at all. As far as we've deteced so far, t he : > virus does not attempt to enter through any other remote services. : > : > : > r00t -- giving it all away. : > :
Current thread:
- Re: r00t advisory -- Sunny Day Virus Eric Allman (Aug 26)