On Wed, 9 Nov 2005, Doug Fox wrote:
-> Found two files, elf_sshscan.a and elf_portscan.a, compressed in a *.tgz file
-> on a Red Hat box. Exported the file to a MS box, Trend Micro OfficeSacn
-> detected them as viruses, but did not provide any information other than the
-> names in its knowledgebase.
->
-> Searched TM site, no information was available today.
->
-> Any information of these two viruses, such as how the virus getting on to the
-> Red Hat box, etc. are appreciated.
That's not much to go on, but from what I've seen I'd say it's some form of a
SSH scanning tool (there are several dozen popular system cracker's tools that
pop up alot now days) that has been infected with either of linux viruses
rst.linux.02 or osf.linux.01. Many tools of this nature that are available on
numberous sites have been infected, probably with intention, with these
viruses. Both are easy to detected and remove, once one is familiar with the
virus. Viruses don't do well on linux, and these really need root access to do
major damage (such as infecting files in /bin, /sbin, and the system path).
I've seen several tools infected with RST used for scanning SSH servers
w/brute force password attacks. Once I found RST attached to the old linux
kernel ptrace root-exploit. Possibly the idea is to infect script-kiddies that
use such tools (eg, the joke's on them); I don't know.
As for route of attack, I'm betting on weak SSH passwords, and/or accounts
that have long been forgotten that have unintentional SSH shell-level access,
since you've refered to SSH scanning. The "ELF" in the name could suggest
these are RST or OSF, or other ELF-infectors. There's really not that many
true linux ELF infecting viruses in the wild right now. The only ones I've
seen myself in the wild are these mentioned here. Of course, it's possible
that they weren't viruses at all. Many times AV vendors term things that are
non-viral as "viruses" (my personal favourite: linux "Dido", labeled a
"virus", nothing more than assembly instructions to print a text message to
the screen). If they are on a system, then that system has seemingly been
compromised (unless it's owner is studying viruses or something of that nature
and placed them there). Usually a SSH scanner and a virus duo, as in the RST
case, means that that system might have been doing some further scanning of
its own; that is, the virus ran while someone was trying to scan with the tool
that was infected with the virus, after having broken into the system and
gained a shell.
During the height of the SSH scanning last year, my port 22 was being probed
almost constantly, always it was someone trying to login as "root", "guest",
"test". Later, they tried more colorful names which seemed to match up with
whatever new SSH scanning tool Frsirt was releasing at the time. There's a
good amount of info on the 'Net about SSH scanning, RST, and password
brute-force attempts.
Other than that, old versions of (insert favourite application/server
software) would be second. Red Hat, IMNSHO, is notorious for having a large
percent of its user base running ancient systems (found a RHL 3 still online
recently). Since RH doesn't follow the version numbers of the original source
code, it's hard to tell just what is vuln. and what isn't. I've seen Openssl
versions at 9.6 that are supposedly "up to date".
BTW, F-Prot makes a decent linux scanner that is free to use on personal
workstations. It finds both linux & w32 malware, not only what I'd term
official viruses.
jayjwa
--
/ / __ __ __ __ __ __ __ mail me for my *
/ /__ / / / \/ / / /_/ / \ \/ / * email address.
/_____/ /_/ /_/\__/ /_____/ /_/\_\ ::[ATr2 RG 2005]::
-------------------------------------------------------
