McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Worm.FreeBSD.Block (Kaspersky)

• WORM_FREEBSD.A (Trend)

Characteristics

The BSD/Block.worm makes use of an Freebsd apache exploit. As Unix binary malware is usually very OS/flavor/kernel version dependent, the malware ".c" source code is being used for initial distribution. 

The malware source file, name might vary but originally called .blackhole.c  , 9100 bytes, is put into the /tmp directory and can be compiled on the local system to an ELF type binary file. The exact filesize and contents might vary dependent on the user's system.

By running the binary and specifying a target IP address one can be connected to a shell on port 30464. Another exploit/rootkit can be used to get root access to the compromised system. By default it's using port 30464 but as the .c source code was distributed, the port number can be changed easily.

As a side-note, source code exploits similar to the above are sometimes  distributed through some security related mailing lists. Instead of receiving an exact trigger with found the BSD/Block.worm virus, if  a trigger is encountered with BSD/Block.worm virus or variant, send it in for further analysis.

Symptoms

-Presence of a malicious file /tmp/.blackhole.c

-Presence of a malicious file /tmp/.blackhole

-Unusual traffic on port 30464

-Compromised Apache systems.

Method of Infection

Apache systems may be accessed remotely and the .blackhole.c file may be dropped into the /tmp directory, after which it can get compiled and the created binary file being run locally.  Note that another, seperate, not included, rootkit is necessary to get root access.

Removal

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Worm.FreeBSD.Block (Kaspersky)

• WORM_FREEBSD.A (Trend)

Characteristics

Characteristics -

The BSD/Block.worm makes use of an Freebsd apache exploit. As Unix binary malware is usually very OS/flavor/kernel version dependent, the malware ".c" source code is being used for initial distribution. 

The malware source file, name might vary but originally called .blackhole.c  , 9100 bytes, is put into the /tmp directory and can be compiled on the local system to an ELF type binary file. The exact filesize and contents might vary dependent on the user's system.

By running the binary and specifying a target IP address one can be connected to a shell on port 30464. Another exploit/rootkit can be used to get root access to the compromised system. By default it's using port 30464 but as the .c source code was distributed, the port number can be changed easily.

As a side-note, source code exploits similar to the above are sometimes  distributed through some security related mailing lists. Instead of receiving an exact trigger with found the BSD/Block.worm virus, if  a trigger is encountered with BSD/Block.worm virus or variant, send it in for further analysis.

Symptoms

Symptoms -

-Presence of a malicious file /tmp/.blackhole.c

-Presence of a malicious file /tmp/.blackhole

-Unusual traffic on port 30464

-Compromised Apache systems.

Method of Infection

Method of Infection -

Apache systems may be accessed remotely and the .blackhole.c file may be dropped into the /tmp directory, after which it can get compiled and the created binary file being run locally.  Note that another, seperate, not included, rootkit is necessary to get root access.

Removal -

Removal -

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:

Caldera

Debian

FreeBSD

Redhat

Sun

SuSe

Variants

Variants -

N/A