Security Notice

Beginning on 6 May 2002, A Linux specific malware was introduced to honeynet.edu. This program has been analyzed with the following result:

This binary is capable of providing remote execution with full administrator privilege to the attacker who places it on a target system. As such if you think your systems my have been compromised with this malware you should take steps to effect cleanup (see http://www.cert.org). Further detail on the specifics of this malware can be found at: advisory.html.

This binary is only known to affect Linux systems. It could be introduced to a Linux system by a shellcode or other network attack, or by social engineering. The principal vulnerable systems would be Linux hosts operating insecure / outdated software as root. It is also possible that a local administrator could be tricked into running the binary.

This program is presently NOT expected to propagate in a virulent manner, and we do not have current concern for a widespread outbreak. However any system which has been successfully infected may be used by an intruder to propagate other attacks.

Recommendations

We are advising that any infected systems should be immediately addressed for standard recovery and analysis proceedures.

Based on the network connection methods employed by this malware, we would strongly advise that any organization which finds it has been penetrated with this binary may wish to look at their infrastructure and ISP connection access security.

Author / contact

Forrest Whitcher 31 May, 2002 fw_sec@fwsystems.com

Copyright © 2002 FW Systems LLC, All Rights Reserved