|
|
ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #013 [A worm "condom" enclosed.] (1 message, 973 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/013.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: Gene Spafford <spaf>
To: phage
Date: Thu 21:20:10 03/11/1988 EST
Subject: A worm "condom" enclosed.
References:
[Thread Prev: 008]
[Thread Next: 384]
[Message Prev: 010]
[Message Next: 014]
First, I have created (at Steve Bellovin's suggestion) a mailing alias at arthur.cs.purdue.edu named "phage." You are all on it, unless you ask to be removed. I will also add other names if you ask. Second, more info on what the worm does as an "end-game." If, after a lot of trying, it decides it cannot break into any more accounts or machines, it goes into a state where it tries to break the root password by brute force calculation. As of now, we don't yet know what it does if it succeeds -- it may just restart itself as root, or it may turn nasty. Third, we have first-hand experience -- it will infect a Vax 8800 running ultrix as well as 7xx machines. An infected 8800 is an awesome engine of contagion. Thank heavens the worm didn't have a Symmetry component!! Last, and perhaps most important, Kevin Braunsdorf & Rich Kulawiec (Purdue-CC) have come up with a "condom" to protect your machine against the CURRENT worm. They are not 100% sure it works, but it seems to be completely effective and it can't do any harm. As ROOT, do: mkdir /usr/tmp/sh chmod 111 /usr/tmp/sh The edit your rc.local file to recreate the directory in case of a reboot. This will not stop a current infection, but it will prevent any new ones from taking hold -- it prevents the worm from creating replicas. More news as it happens, --spaf
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |