|
|
ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #041 [Re: Steps in the virus, as best we know them (and fixes)] (1 message, 950 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/041.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: Theodore Ts'o <tytso@ATHENA.MIT.EDU>
To: phage
Date: Fri 15:36:13 04/11/1988 EST
Subject: Re: Steps in the virus, as best we know them (and fixes)
References:
[Thread Prev: 035]
[Thread Next: 211]
[Message Prev: 036]
[Message Next: 039]
Some programmers from SIPB, Project Athena, LCS, and the MIT Network group got together and made a concerted effort to disassemble the code all last night. We succeeded this morning in diassembling all of the virus. There are a few "fixes" and descriptions that have been floating around this list, which appear to be not fully correct, judging from our results. 1) Setting pleasequit=-1 does not necessarily stop the virus. Even with pleasequit=-1, at least one iteration of the virus propagation code will run. In addition, another variable must also be greater than 10 before the virus exits. 2) The ONLY attacks it does is the sendmail, finger, .rhosts (rsh and rexec), and password guessing. The password attacks involved checking if password==username, and a few other standard tests. 3) One of the things it does before it attacks a host is it connects to the telnet port and immediately closes it. Thus, "telnetd: ttloop: peer died" in /usr/adm/messages is a sign that the virus *attempted* an attack a second or two later. 4) The .o files are _not_ profiled. "mcount" is a red herring. What that region of data actually is is some of the strings that it wants to be kept secret XOR'ed with 0x81. - Ted Ts'o MIT Project Athena
END OF DOCUMENT
| ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved. |