Content
BSD/OpenSSH.src
- Type
- Trojan
- SubType
- Remote Access
- Discovery Date
- 08/02/2002
- Length
- Minimum DAT
- 4217 (08/07/2002)
- Updated DAT
- 4217 (08/07/2002)
- Minimum Engine
- 5.1.00
- Description Added
- 09/10/2002
- Description Modified
- 09/10/2002 4:00 AM (PT)
Tab Navigation
Characteristics
The driver for BSD/OpenSSH.src was added into Dat-4217 to protect against a hacked/compromised openbsd openssh3-4 package that included the source for a remote access trojan.
The compromised "bf-test.c" file could be compiled silently by a makefile to a shell file called for example "bf-output.sh". The resulting shell script contains .c code and it tries to compile (gcc) and run itself. Once running it attempts to connect to a specific ip addres (of a regular website) in Australia and tries to start a remote access shell. The malicious code was posted as source code to several web sites and is not known to be in use or in the field at this time. The source code was also send to certain security related mailing lists.Symptoms
Method of Infection
Removal
Detection is included in the specified DAT release.
In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.Administrators should regularly check for availability of important security updates/patches.
Recommended links: Caldera Debian FreeBSD Redhat Sun SuSeVariants
Variants
N/A
All Information
Overview -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics
Characteristics -
The driver for BSD/OpenSSH.src was added into Dat-4217 to protect against a hacked/compromised openbsd openssh3-4 package that included the source for a remote access trojan.
The compromised "bf-test.c" file could be compiled silently by a makefile to a shell file called for example "bf-output.sh". The resulting shell script contains .c code and it tries to compile (gcc) and run itself. Once running it attempts to connect to a specific ip addres (of a regular website) in Australia and tries to start a remote access shell. The malicious code was posted as source code to several web sites and is not known to be in use or in the field at this time. The source code was also send to certain security related mailing lists.Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
Detection is included in the specified DAT release.
In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.Administrators should regularly check for availability of important security updates/patches.
Recommended links: Caldera Debian FreeBSD Redhat Sun SuSeVariants
Variants -
N/A
