[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: r00t advisory -- Sunny Day Virus
From:       Eric Allman <eric () sendmail ! org>
Date:       1996-08-26 17:43:02
[Download RAW message or body]

I've been discussing this with others, notably Casper Dik.  As near
as we can tell, this is a human engineering attack.  If anyone has
any information to the contrary, I would like to hear it.

eric


============= In Reply To: ===========================================
: From:  Jared Mauch <jared@wolverine.hq.cic.net>
: Subject:  Re: r00t advisory -- Sunny Day Virus
: Date:  Mon, 26 Aug 1996 19:26:20 -0400 (EDT)

:       This one can't be for real.
:
:       If you downgrade to sendmail 8.6.9 or earlier, you are opening
: yourself to a more broad variety of hacks that can be made against your
: system.
:
:       I would not do it.  Certainly if it is possible, I'd like to see
: how it does it, but due to the syslog hole, later versions of sendmail
: do strict bounds checking.  I can't see this being a security
: issue.
:
:       - jared
:
: Gregory Hull graced my mailbox with this long sought knowledge:
: > r00t VIRUS advisory                                     [ Sunny Day Virus ]
: >
: > -- Synposis
: > This is the first known, widely distributed virus, for SunOS/Solaris
: > machines running on SPARCstations and SPARC clones.  The virus runs as root
: > and corrupts various critical kernel tables at seemingly random intervals.
: >
: > The virus is believed to enter machines through various holes in sendmails
: > version 8.6.9 + (Including the 8.7.x line of sendmail).  Once having entere
d
: > a system the virus mutates as it infects each file.
: >
: > -- Detecting the virus
: > The virus does leave noticeable trails.  At hourly intervals it will make a
: > random /usr/bin binary suid root.  Upon each chmod 4755 it performs the las
t
: > program it 4755'd will be restored to it's orginal permissions.
: >
: > -- Removing the virus
: > r00t recommends a complete OS reinstallation.
: >
: > -- Preventing the virus
: > The virus can be prevented by downgrading to a version of sendmail older th
an
: > 8.6.9 or by not running sendmail at all.  As far as we've deteced so far, t
he
: > virus does not attempt to enter through any other remote services.
: >
: >
: > r00t -- giving it all away.
: >
:

[prev in list] [next in list] [prev in thread] [next in thread]