August 9th, 2005 02:14 PM
ELF_GMON.A mostly not detected
Let me write about :
Ive been going across this elf infector (linux) virus GMON.A a few times now(as you can notice its a quite old virus), when checking crashed servers here and there. This virus from what i know of it is infecting the whole /bin /sbin /usr/bin/ whatever contains elf binaries to have them when executed to fork() and open some kind of connection.
But mostly after days of infections GMON.A infects some various very usefull commands for the systems such as mount or whatever, which sometimes react not nicely to such infection.
However, lately i have been going by this box crashing on startup, saying it couldnt mount proc. After some sightseeing on the server, i could see that mount and various /bin commands such as vi were segfaulting. Time to time i could see in result of a "ps aux" some of thoses mount or thoses vi running "background" - which made my mind about some kind of viruses. Well finally, stringing the binares "mount" or "vi", "ls" whatever, i could see "OSF" in approx. every files of the system which is GMON infection marker (according to Trend Micro).
I truely believe this virus even if old is in the wild now for a few years, and since its destructive nobody really notices it , reinstalling just their boxes.
From what i noticed, gmon.a is mostly infecting from not this skilled admins : installing and running random tools taken from the internet and the rate/speed of binary infection is pretty high.