From: security curmudgeon (jericho@attrition.org)
To: InfoSec News (isn@attrition.org)
Cc: errata submission (errata@attrition.org)
Date: Thu, 13 Sep 2001 01:41:15 -0600 (MDT)
Subject: Re: [ISN] Linux based Trojan gets a closer look
: http://www.vnunet.com/News/1125305
:
: By James Middleton
: 07-09-2001
:
: In light of the interest in the recently discovered Linux based Remote
: Shell Trojan, vnunet.com has uncovered more details of the worm's
: functionality in a bid to dispel any fear, uncertainty and doubt.
: The program displays some virus-like qualities such as
: self-replication via email. It also installs a backdoor in the
: infected host, listening on UDP port 5503 or higher.
After reading the page on the Qualys page and this article, I don't
understand the "self-replication via email" bit.
A user receives the infected file in e-mail, runs it, infects the machine
it was run on. At that point the machine is backdoored.
There is nothing to suggest that it spreads beyond that by its own
mechanism. Unless I am missing something or the wording is poor, it will
only spread if a user sends mail out voluntarily with the infected file as
an attachment.
If that is the case, this is no different than any of a thousand linux
trojans out there, and certainly nothing compared to codered.
: According to security firm Qualys, which claims discovery of the
: virus, it commonly arrives via binary email attachments or downloaded
: software.
:
: Qualys said that the proliferation of Linux servers on the internet
: mean that potentially, this virus could hit harder than Code Red, but
: only if executed by unwary users.
.. are the Qualys folks aware of how pathetic this sounds? Did their
marketeers run rampant on this?
