Full Disclosure mailing list archives
Re: Possible First Crypto Virus Definitely Discovered!
From: "Billy B. Bilano" <mr.bill.bilano () email server unix bill bilano biz>
Date: Tue, 8 Jun 2004 12:05:14 -0500
Hi Harlan! Thanks for your reply... hard to make heads or tails of what you are saying though...
Wouldn't it then be, by definition, a worm?
A worm or whatever you want to call it, that's cool. I just thought "virus" sounds more alarming than worm! Everybody has had a worm or two, but a virus is a tough cookie to crack!
What information do you have to support this assumption?
Because it is attacking our web servers and it seems to have somehow gotten installed on our web servers at the same time! I don't know how it got in, but there is traffic going in and out of the servers on port 443 with an encrypted payload! I don't know what is answering on port 443 on the web servers, but for the life of me I can't find anything on them that looks like it's a virus or a worm or a troglodite or anything!
If this worm runs over SSL, as you say, then wouldn't you expect it to be encrypted?
Whatever ssl is, I don't know but it's using the so-called "ssl" port on the web servers. I don't think it has anything to do with whatever ssl was back in the old days of UNIX. It has a lower port number and that means it's an older port! Probably from the 1970s! Besides, why should I see any encrypted traffic on any port other than SSH? I don't expect to see encryption on anything other than the SSH port 22 (which is a very old port).
Regardless, there isn't any information in your post that clearly shows that this worm infects both Windows and Unix hosts. In fact, one thing that does seem clear in your post is that you haven't collected any information from the "infected" hosts, but rather all you've got so far is network traffic via Ethereal...and to be honest, any worm running over SSL is going to be encrypted...
But this port 443 is not SSH! Why should it be encrypted? And what is this "ssl" thing? I've been in IT for many years and I am now IT Director here at the bank... I would think that I would know what "ssl" would be. I don't think this worm has anything to do with whatever "ssl" is. Does anybody even still use ssl? That's probably why the hackers chose it. P.S. Check out my bloglog, Harlan! -------- Mr. Billy B. Bilano, MSCE, CCNA <http://www.bilano.biz/> Expert Sysadmin Since 2003! 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Possible First Crypto Virus Definitely Discovered! Billy B. Bilano (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! madsaxon (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! Harlan Carvey (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! Billy B. Bilano (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! Oliver Welter (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! Billy B. Bilano (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! Jon (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! Billy B. Bilano (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! KF (lists) (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! VB (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! James Bliss (Jun 08)
- Re: Possible First Crypto Virus Definitely Discovered! Jakob Jünger (Jun 08)
- RE: Possible First Crypto Virus Definitely Discovered! Aditya, ALD [Aditya Lalit Deshmukh] (Jun 10)
- Re[2]: Possible First Crypto Virus Definitely Discovered! Thierry (Jun 08)