Billy B. Bilano wrote:
Salutations, amigos!
Bill Bilano here, reporting in from the front-lines! I've got some disturbing news that I've got to get some answers about while I share. I think we're about to come under full hacker attack at any second! And to those people that said us folks talking about crypto viruses were being chicken littles... let me tell you, the sky just fell! And it is HEAVY!
I was sitting at my desk doing more research on the OPENBSD virus I discovered last week. I was watching ethereal and monitoring the traffic coming in and out of the facility and I saw a ton of traffic coming straight for our web servers! The routers, firewalls, and intrusion detraction systems were not sounding the red alarms like they should have been (we'll get to THAT one later).
There appears to be a new virus in town and it's affecting Windows and UNIX web servers! I have not identified a pattern of infection yet but the virus is clearly advancing but it only affects web servers!
The virus works on port 443. It seems to accept inbound connections on that port as well and, presumably, awaits for commands from some series of servers elsewhere. Perhaps taking orders? I also captured some of the traffic and attempted to analyze it up but it looks like -- you heard it here first, folks -- the payload is encrypted! Is this the first of a coming storm of crypto viruses we've all been eagerly fearing? (I have already sent a copy of the payload to the distributed.net people so they can try to use some of those wasting cycles to decipher it like they did the last one!)
I have taken the liberty of naming the virus already. I looked in etc/services and saw that this port is for and it is something called "ssl" so I am calling it w32.ssl.b (b for bilano, since I discovered this wretched thing!)
I called in our webmaster and showed him the data. He is either too stupid to know what's going on or he takes me for a fool. I got him in the conference room and showed him the print outs. He tried to convince me it was not a virus and just normal web traffic but web traffic is on port 80! No fooling old Bill! LOL! So I told him to gather his stuff up and gave him his marching orders. I have no time for this kind of bull, what with the OPENBSD virus last week (still picking up the pieces there). He must have known I was on to him because he was just laughing on his way out the front door. He may have even been involved with the infection! Good riddance, chump!
At any rate, this is your heads up, folks! You heard it here first! Be on the lookout for this first, very nasty CRYPTO VIRUS!
P.S. I wonder if this virus was from a spam-gang?!
P.P.S. Check out my bloglog in my sig!
-------- Mr. Billy B. Bilano, MSCE, CCNA <http://www.bilano.biz/> Expert Sysadmin Since 2003! 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
--
My "Foundation" verse:
Isa 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html