[3286] in bugtraq
Re: r00t advisory -- Sunny Day Virus
daemon@ATHENA.MIT.EDU (Eric Allman)
Mon Aug 26 22:10:05 1996
Date: Mon, 26 Aug 1996 17:43:02 -0700
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Eric Allman <eric@sendmail.org>
X-To: Jared Mauch <jared@wolverine.hq.cic.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: Mail from Jared Mauch <jared@wolverine.hq.cic.net> dated Mon, 26
Aug 1996 19:26:20 EDT <199608262326.TAA21454@wolverine.hq.cic.net>
I've been discussing this with others, notably Casper Dik. As near
as we can tell, this is a human engineering attack. If anyone has
any information to the contrary, I would like to hear it.
eric
============= In Reply To: ===========================================
: From: Jared Mauch <jared@wolverine.hq.cic.net>
: Subject: Re: r00t advisory -- Sunny Day Virus
: Date: Mon, 26 Aug 1996 19:26:20 -0400 (EDT)
: This one can't be for real.
:
: If you downgrade to sendmail 8.6.9 or earlier, you are opening
: yourself to a more broad variety of hacks that can be made against your
: system.
:
: I would not do it. Certainly if it is possible, I'd like to see
: how it does it, but due to the syslog hole, later versions of sendmail
: do strict bounds checking. I can't see this being a security
: issue.
:
: - jared
:
: Gregory Hull graced my mailbox with this long sought knowledge:
: > r00t VIRUS advisory [ Sunny Day Virus ]
: >
: > -- Synposis
: > This is the first known, widely distributed virus, for SunOS/Solaris
: > machines running on SPARCstations and SPARC clones. The virus runs as root
: > and corrupts various critical kernel tables at seemingly random intervals.
: >
: > The virus is believed to enter machines through various holes in sendmails
: > version 8.6.9 + (Including the 8.7.x line of sendmail). Once having entere
d
: > a system the virus mutates as it infects each file.
: >
: > -- Detecting the virus
: > The virus does leave noticeable trails. At hourly intervals it will make a
: > random /usr/bin binary suid root. Upon each chmod 4755 it performs the las
t
: > program it 4755'd will be restored to it's orginal permissions.
: >
: > -- Removing the virus
: > r00t recommends a complete OS reinstallation.
: >
: > -- Preventing the virus
: > The virus can be prevented by downgrading to a version of sendmail older th
an
: > 8.6.9 or by not running sendmail at all. As far as we've deteced so far, t
he
: > virus does not attempt to enter through any other remote services.
: >
: >
: > r00t -- giving it all away.
: >
:
