Port 443: Slapper-D Update, 4th variant discovered
This just up at the Internet Storm Center, explains the increase in port 443 probes this weekend.
A 4th variant of the 'Slapper' worm has been discovered.
When an exploitable system is discovered, the first piece of the worm sent over thru the SSL vulnerability is a script file called '/tmp/script.sh'. The shell script is executed and tries to do the following:
1A) Retrieve a compressed file 'k.gz' from the web server 22.214.171.124.
1B) Uncompress 'k.gz' and execute the resulting '/tmp/k' file which appears to be a modified version of the Kaiten IRCbot.
1C) Once '/tmp/k' is running, remove the executable.
IMPORTANT NOTE: The k.gz file on the web server has been updated at least once. In one version, the IRCbot tries to connect to 'irc.zyclonicz.net' on the channel '#devnull'. In another version, it tries to connect to either 'adventice.com' or 'ns1.adventice.net' on the channel '#hacked'.
Network Scanner / Worm Spread
2A) Check for presence of gcc compiler on system. If the compiler is not found, remove the '/tmp/script.sh' file and quit.
2B) If compiler is found, create a new directory '/tmp/.socket2', goto that directory and retrieve a compressed tar archive 'devnull.tgz' from the same web server mentioned above.
2C) Extract the 'devnull' executable and the 'sslx.c' source code from the compressed tar archive and then delete the archive file.
2D) Compile the 'sslx.c' source code to create 'sslx' executable.
2E) If unable to compile the 'sslx' execuatble (due to lack of -lcrypto library) delete the 'sslx.c', 'devnull' and 'script.sh' files and exit.
2F) If able to compile 'sslx', run 'devnull' and then delete 'script.sh'
The 'devnull' executable is a scanner which selects a random /16 network and scans the entire network looking for SSL web server listening on TCP port 443. If one is found, 'devnull' calls the 'sslx' exploit code to infect it to continue the spread. After 'devnull' completes a scan of the selected /16 network, it selects a new /16 and repeats the process.
1) Same as existing recommendations for Slapper worm.
2) Block outgoing web access to 126.96.36.199
3) Block all outgoing IRC access if possible. If total blocking is not possible, block IRC access to 'irc.zycloncz.net', 'adventice.com' and 'ns1.adventice.net'
4) Apply vendor patches for SSL vulnerability AS SOON AS POSSIBLE.
Please direct comments/questions to the author:
David Goldsmith email@example.com
Also posted at DSLReports:
Note from FanJ: I fixed the link to DSLR
Microsoft MVP 2003-2008
Windows - Security
Proud member of ASAP Alliance of Security Analysis Professionals
|« Previous Thread | Next Thread »|
|Thread Tools||Search this Thread|