Virus Database

Exploit.Linux.SSHD22

Description Exploit.Linux.SSHD22

Under the SSHD22 name KAV detects a couple of tools widely used on the Internet by hackers to compromise systems vulnerable to the security flaw known as the "SSH CRC-32 compensation attack".
Initially reported in October 2001, (for details you may check the CERT advisory 2001-35, at: http://www.cert.org/advisories/CA-2001-35.html this form of attack is still one of the most prevalent forms of exploits used on the Internet. Given the high level of compromise from this exploit, it is recommended to update every vulnerable version (for a version list please check the CERT advisory) up to the latest release.
Technical details:
Multiple versions of this tool are known, but most of them share the same base code that performs the attack. An interesting detail, the specific offsets and addresses needed to exploit the various SSH versions are stored in an external file to which additional data can be added. A special tool which can be used to extract the specific exploit offsets is also included in the distribution of the attack kit, making it relatively easy to increase the target base of the exploit.
Some versions of the tool are encrypted with passwords, possibly to prevent misuse. When run they require the user to first enter a password (for instance, the so-called "x2" variant).
After providing a correct password the tool presents the user with a list of options, of which the most important one is the vulnerable version to try - the exploitation tool is unable to determine for itself the version of the vulnerable SSH daemon running on the remote machine.
After providing the address of the remote machine and the version to exploit, the tool connects to the SSH daemon and initiates a session login attempt. During the attack it's common for the SSH daemon to crash or stall, including messages of the following Form:
"/var/log/messages":
sshd[14211]: Disconnecting: Corrupted check bytes on input.
sshd[14230]: Disconnecting: crc32 compensation attack: network attack detected
As a successful attack with this tool is usually followed with the installation of a rootkit or backdoor it's important to perform a full scan of the system after a compromise has been detected, and if available, to check the integrity of the system binaries which might have been replaced with trojanized versions.

Check other viruses! Be aware! Use Antiviral Software

Chill.544

Description Chill.544

It's a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM-files that are accessed. It formats hard drive sectors. It contains the internal text string:
[CHiLL TOUCH] You cannot touch these phantoms

Chimp

Description Chimp

It is not a dangerous memory resident encrypted and stealth boot virus. It hooks INT 13h and writes itself to the MBR sector on the hard drive and boot sectors of floppy disks that are accessed. The virus locates in the memory in the DOS Interrupt Vectors table. The virus does not manifest itself in any way.

Home