jump to navigation

Evil Computer Virus May 7, 2009

Posted by gordonwatts in computers.

Ugh. I hate computer viruses. I hate them because they make me do extra work. I don’t like the work much because I don’t think of it as interesting – why spend my time programming security fixes when I could be trying to search for the Higgs or something similar to that. However, it must be done.

Up until very recently I’d always thought that putting a set of machines behind a firewall, and not letting anything through that firewall, was a great way to secure them. Since an attacker from the outside couldn’t penetrate, you’d be safe, right? A random port-scan of a computer behind the firewall will just turn up a “no one home” answer because the firewall will block it. This makes security a lot simpler.

Until the Phalanx2 virus came along. Actually, virus is the wrong word here. It is really a Trojan horse. Or perhaps a combination of a Trojan horse and a virus. It is insidious. Most viruses break into a computer and then start scanning for any other computer near by that might vulnerable, break into that computer, and then repeat. As a result they can spread very very fast. However, the firewall I mentioned above totally defeats them. They try to scan a machine behind a firewall and… well, the firewall blocks them. So those machines are safe.

But us humans have a way to get to those machines behind the firewall. We have a special set of encrypted commands that we execute that will poke a small hole through the firewall and allow us to access these machines. I use this technique all the time to access computers at Fermilab and CERN. It allows me to help maintain the data acquisition system at DZERO, for example.

And this is where Phalanx2 is clever. Once it gets onto a machine it watches for me to make these very types of connections, memorizes the keystrokes I used to make them, and then later, perhaps while I sleep, it will repeat the same actions and gain access to that machine behind the firewall. It then uses a bug in the Linux kernel to worm its way into the system and set up shop. Ops! Infected machine behind the firewall!!

The upshot is it is suddenly as important to keep those machines behind the firewall as up-to-date and patched as the machines that are outside on the internet. This is more work. A lot more work. And, frankly, it isn’t very interesting work. 😦 Bastard virus writers.



1. Mefisto - May 7, 2009

Do you know what kind of bug of the linux kernel it takes advantage from? Im really interested in this. Thanks

2. Gordon Watts - May 7, 2009

I don’t, actually. But I do know that the latest kernel updates patch it. It is the normal thing: keep your computers as patched as possible, no matter what OS you are running.

BTW, my impression is that the payload can be changed at any time, so while this bug might get fixed, a new one will be found and the virus will be updated.

3. Mefisto - May 8, 2009

Hmm, I can only think of the vmsplice bug, can you please tell me what version of the kernel you were using on the affected machine(s)? thanks.

4. Gordon Watts - May 8, 2009

I can’t, actually (security). But I know that the latst in the 2.4 series (56) fixes the hole. I have no idea what the name of the kernel bug is. I do not know if that is the very first version that fixes the bug.

5. Gordon Watts - May 8, 2009

Look at this advisory for reference: http://dickmorrell.wordpress.com/2008/08/27/phalanx2-rootkit-circulates/ it sounds like it uses a bunch of different root exploits – so it is just updated with the latest ones on the market or similar (the blog above has a copy of the CERT posting).

6. amanpreet - May 10, 2009

my computer east virous problam please load the virous

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: