Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > malware problems & news
Reload this Page Port 443: Slapper-D Update, 4th variant discovered
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old September 30th, 2002, 01:03 PM
CalamityJane's Avatar
CalamityJane CalamityJane is offline
Spyware Fighter
  
Join Date: Sep 2002
Location: Central Florida
Posts: 126
Default Port 443: Slapper-D Update, 4th variant discovered
This just up at the Internet Storm Center, explains the increase in port 443 probes this weekend.
http://isc.incidents.org/
Slapper-D update:
A 4th variant of the 'Slapper' worm has been discovered.

When an exploitable system is discovered, the first piece of the worm sent over thru the SSL vulnerability is a script file called '/tmp/script.sh'. The shell script is executed and tries to do the following:

IRC Bot
1A) Retrieve a compressed file 'k.gz' from the web server 133.9.187.227.
1B) Uncompress 'k.gz' and execute the resulting '/tmp/k' file which appears to be a modified version of the Kaiten IRCbot.
1C) Once '/tmp/k' is running, remove the executable.

IMPORTANT NOTE: The k.gz file on the web server has been updated at least once. In one version, the IRCbot tries to connect to 'irc.zyclonicz.net' on the channel '#devnull'. In another version, it tries to connect to either 'adventice.com' or 'ns1.adventice.net' on the channel '#hacked'.

Network Scanner / Worm Spread
2A) Check for presence of gcc compiler on system. If the compiler is not found, remove the '/tmp/script.sh' file and quit.
2B) If compiler is found, create a new directory '/tmp/.socket2', goto that directory and retrieve a compressed tar archive 'devnull.tgz' from the same web server mentioned above.
2C) Extract the 'devnull' executable and the 'sslx.c' source code from the compressed tar archive and then delete the archive file.
2D) Compile the 'sslx.c' source code to create 'sslx' executable.
2E) If unable to compile the 'sslx' execuatble (due to lack of -lcrypto library) delete the 'sslx.c', 'devnull' and 'script.sh' files and exit.
2F) If able to compile 'sslx', run 'devnull' and then delete 'script.sh'

The 'devnull' executable is a scanner which selects a random /16 network and scans the entire network looking for SSL web server listening on TCP port 443. If one is found, 'devnull' calls the 'sslx' exploit code to infect it to continue the spread. After 'devnull' completes a scan of the selected /16 network, it selects a new /16 and repeats the process.

Recommendations:

1) Same as existing recommendations for Slapper worm.
2) Block outgoing web access to 133.9.187.227
3) Block all outgoing IRC access if possible. If total blocking is not possible, block IRC access to 'irc.zycloncz.net', 'adventice.com' and 'ns1.adventice.net'
4) Apply vendor patches for SSL vulnerability AS SOON AS POSSIBLE.

Please direct comments/questions to the author:
David Goldsmith dgoldsmith@sans.org

Also posted at DSLReports:
http://www.dslreports.com/forum/rema...ty,1~mode=flat


Note from FanJ: I fixed the link to DSLR
__________________
Microsoft MVP 2003-2008
Windows - Security

Proud member of ASAP Alliance of Security Analysis Professionals
 

Wilders Security Forums > Other Security Topics > malware problems & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 05:47 AM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums