Internet Worms - KAPERSKY ANTI-VIRUS 5.0 - FOR LINUX FREEBSD-OPENBSD MAIL SERVER Administrator's Manual

129
A typical specimen of Unix-oriented Trojans is TROJ_IRCKILL – a Trojan that
consists of a set of software tools used to disconnect users from IRC channels.
This set includes four utilities used for attacks: FLOOD, MCB (Multiple Collide
BOTs), SUMO BOTs, and FLASH – a special type of "flood" used in the Linux
environment.
The FLASH attack is used for direct modem disconnection by sending a ping
command to a certain IP address with "incorrect" data specified in a certain
sequence. These data will be interpreted by the user's modem as a
disconnection command and it will hang up. However, this kind of attack does
not work with all modem types.
The MCB attack is carried out via the IRC channels. At the moment the IRC
servers are unable to synchronize with each other (net split) the Trojan program
duplicates the user's nickname. After synchronization between the IRC servers is
restored, this name is considered invalid and the user is disconnected from the
IRC channel.
The FLOOD BOTS/SUMO BOTS attack is also used in the IRC network. It
generates numerous users with random nicknames. With this attack, the IRC
channel or the user participating in chat is flooded until the computer reaches a
certain bandwidth limit. Then this user is also disconnected from the IRC
channel.
Root kit – This is a program package used by the intruder to get root-access to
the remote computer. It uses standard Unix programs – Ps and ls. The only
efficient method to recover the server after it is hacked with the Root kit is to
restore critical data from the backup (which should be created periodically),
erase the hard disk, and reinstall the system.
B.3. Internet worms
Malicious programs of this group do not add themselves to executable objects,
but copy themselves to network resources. The group was given this name
because of the worms' capability to crawl across networks and other dataways.
They penetrate into the computer's memory from networks, detect network
addresses of other computers, and send their own copies to these addresses.
Sometimes, specimens of this group create work files on the system disks, but
sometimes they do not use the computer resources at all (except for the RAM).
Worm.Linux.Ramen – The first worm known to infect systems running RedHat
Linux. It infects remote Linux systems (RedHat Linux) exploiting the problem
of buffer overflow. This "loophole" in the software allows a piece of
executable code to be sent to a remote computer and be executed there
without the administrator's (or the user's) knowledge.
Kaspersky Anti-Virus for Unix Mail Servers