Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible First Crypto Virus Definitely Discovered!

From: "Billy B. Bilano" <mr.bill.bilano () email server unix bill bilano biz>
Date: Tue, 8 Jun 2004 12:05:14 -0500
Hi Harlan! Thanks for your reply... hard to make heads or tails of what you
are saying though...


Wouldn't it then be, by definition, a worm?


A worm or whatever you want to call it, that's cool. I just thought "virus"
sounds more alarming than worm! Everybody has had a worm or two, but a virus
is a tough cookie to crack!



What information do you have to support this
assumption?


Because it is attacking our web servers and it seems to have somehow gotten
installed on our web servers at the same time! I don't know how it got in,
but there is traffic going in and out of the servers on port 443 with an
encrypted payload! I don't know what is answering on port 443 on the web
servers, but for the life of me I can't find anything on them that looks
like it's a virus or a worm or a troglodite or anything!



If this worm runs over SSL, as you say, then wouldn't
you expect it to be encrypted?


Whatever ssl is, I don't know but it's using the so-called "ssl" port on the
web servers. I don't think it has anything to do with whatever ssl was back
in the old days of UNIX. It has a lower port number and that means it's an
older port! Probably from the 1970s!

Besides, why should I see any encrypted traffic on any port other than SSH?
I don't expect to see encryption on anything other than the SSH port 22
(which is a very old port).



Regardless, there isn't any information in your post
that clearly shows that this worm infects both Windows
and Unix hosts.  In fact, one thing that does seem
clear in your post is that you haven't collected any
information from the "infected" hosts, but rather all
you've got so far is network traffic via
Ethereal...and to be honest, any worm running over SSL
is going to be encrypted...


But this port 443 is not SSH! Why should it be encrypted? And what is this
"ssl" thing? I've been in IT for many years and I am now IT Director here at
the bank... I would think that I would know what "ssl" would be. I don't
think this worm has anything to do with whatever "ssl" is. Does anybody even
still use ssl? That's probably why the hackers chose it.


P.S. Check out my bloglog, Harlan!

--------
Mr. Billy B. Bilano, MSCE, CCNA
<http://www.bilano.biz/>
Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: