Security Information Vulnerability Research Security Blog

New Linux malware

February 18th, 2006 by , Filed under: Commentary, Linux, Virus

[there are several updates on this subject on the main blogs site]

today, we received a notification about a new linux malware itw (in the wild).

chas tomlin provided shadowserver and nicholas alright who notified the relevant operational communities, with the information on the binaries. he captured them with squil.

chas is working with shadowserver to identify better ways to trackdown/takedown botnets.

the credit should go to him and shadowserver.

shadowserver has been a responsible and essential part of recent internet security activities.

as anti virus vendors have been notified and will soon do a write-up on it, i see no reason not to publicize it here.

md5:
c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq
e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session

we are not quite sure as of yet exactly what this does, it can be a linux virus, a linux trojan horse, a linux worm… we are not even sure if the checksums above are useful at all. we hope to know more soon and we will update as we do.

there are some interesting strings to be noted:

notice %s :tsunami     = special packeter that wont be blocked by most firewalls
notice %s :pan         = an advanced syn flooder that will kill most network drivers
notice %s :udp         = a udp flooder
notice %s :unknown     = another non-spoof udp flooder
notice %s :nick        = changes the nick of the client
notice %s :server      = changes servers
notice %s :getspoofs   = gets the current spoofing
notice %s :spoofs      = changes spoofing to a subnet
notice %s :disable     = disables all packeting from this client
notice %s :enable      = enables all packeting from this client
notice %s :kill        = kills the client
notice %s :get         = downloads a file off the web and saves it onto the hd
notice %s :version     = requests version of client
notice %s :killall     = kills all current packeting
notice %s :help        = displays this
notice %s :irc         = sends this command to the server
notice %s :sh          = executes a command

‘session’, current detection:
antivir               6.33.1.50/20060218       found bds/katien.r
avast                 4.6.695.0/20060216       found nothing
avg                   718/20060217             found nothing
avira                 6.33.1.50/20060218       found bds/katien.r
bitdefender           7.2/20060218             found nothing
cat-quickheal         8.00/20060216            found nothing
clamav                devel-20060126/20060217  found nothing
drweb                 4.33/20060218            found nothing
etrust-inoculateit    23.71.80/20060218        found nothing
etrust-vet            12.4.2086/20060217       found nothing
ewido                 3.5/20060218             found nothing
fortinet              2.69.0.0/20060218        found nothing
f-prot                3.16c/20060217           found nothing
ikarus                0.2.59.0/20060217        found backdoor.linux.keitan.c
kaspersky             4.0.2.24/20060218        found backdoor.linux.keitan.c
mcafee                4700/20060217            found linux/ddos-kaiten
nod32v2               1.1413/20060217          found nothing
norman                5.70.10/20060217         found nothing
panda                 9.0.0.4/20060218         found nothing
sophos                4.02.0/20060218          found nothing
symantec              8.0/20060218             found backdoor.kaitex
thehacker             5.9.4.098/20060218       found nothing
una                   1.83/20060216            found nothing
vba32                 3.10.5/20060217          found nothing

‘derfiq’ current detection:
antivir               6.33.1.50/20060218       found worm/linux.lupper.b
avast                 4.6.695.0/20060216       found nothing
avg                   718/20060217             found nothing
avira                 6.33.1.50/20060218       found worm/linux.lupper.b
bitdefender           7.2/20060218             found nothing
cat-quickheal         8.00/20060216            found nothing
clamav                devel-20060126/20060217  found nothing
drweb                 4.33/20060218            found nothing
etrust-inoculateit    23.71.80/20060218        found nothing
etrust-vet            12.4.2086/20060217       found nothing
ewido                 3.5/20060218             found nothing
fortinet              2.69.0.0/20060218        found nothing
f-prot                3.16c/20060217           found nothing
ikarus                0.2.59.0/20060217        found net-worm.linux.lupper.b
kaspersky             4.0.2.24/20060218        found nothing
mcafee                4700/20060217            found nothing
nod32v2               1.1413/20060217          found nothing
norman                5.70.10/20060217         found nothing
panda                 9.0.0.4/20060218         found nothing
sophos                4.02.0/20060218          found nothing
symantec              8.0/20060218             found hacktool
thehacker             5.9.4.098/20060218       found nothing
una                   1.83/20060216            found nothing
vba32                 3.10.5/20060217          found nothing

this write-up can be found here:
http://blogs.securiteam.com/index.php/archives/303

we will notify as we get new updates here:
http://blogs.securiteam.com

gadi evron,
ge@beyondsecurity.com.

Share
  • http://networksecurity.typepad.com/ Juha-Matti

    It seems that some AV vendors start using similar names now, many readers possibly remember Lupper/Plupii case reported in November.
    Trend Micro uses ELF-based name at their write-up at
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ELF%5FMARE%2EC

    From the description text:
    *In the wild: Yes
    *Platform: Linux

    *Details:
    This executable Linux file (ELF) propagates by taking advantage of the XML-RPC for PHP Remote Code vulnerability.

    It connects to the Web site http://19{BLOCKED}5.69/supina to download a file into the Temporary folder.

  • http://networksecurity.typepad.com/ Juha-Matti

    And Sophos says that this Linux/Lupper-H puts its malicious file to /tmp/giculo and executes it;
    http://www.sophos.com/virusinfo/analyses/linuxlupperh.html

    Kaspersky uses name Net-Worm.Linux.Mare.d;
    http://www.viruslist.com/en/viruses/encyclopedia?virusid=112455

    This is the situation at time of commenting.

  • http://nepenthes.sourceforge.net Markus Koetter
  • sunshine

    1. The worm is based on ‘kaiten’, which has been going around in different variants for a long time now.

    2. This worm is new.

    3. The first part exploits PHP applications, like these variants normally do.

    4. The second part spreads to other systems.

    5. The worm connects to a botnet C&C based on two Fast-flux DNS RR’s which are not there anymore, and as they change, are taken down.

  • http://prdelka.blackart.org.uk prdelka

    What vulnerabilities in PHP is the worm attempting to exploit?

  • http://networksecurity.typepad.com/ Juha-Matti Laurio

    It seems that these XML-RPC for PHP vulnerabilites are same as being exploited in last November, the list of affected products is very long and can be examined at
    http://www.osvdb.org/displayvuln.php?osvdb_id=17793

    And this conclusion is because of same malware name being used now, several AV vendors sees this worm as new variant of Linux.Lupper, BDS/Katien etc.

    Let’s wait for Monday and new AV write-ups.

  • Pingback: Security@spamalertz.com » Blog Archive » new linux malware

  • Pingback: The Armorer’s Scroll » New Linux Worm?

  • Share







  • Categories


Security RSS Subscribe