New Apache worm starts to spread

javacool · Jun 29, 2002

Quoted from CNET news.com:

New Apache worm starts to spread
By Robert Lemos
Staff Writer, CNET News.com
June 28, 2002, 5:00 PM PT
http://news.com.com/2100-1001-940585.html

Security experts are rushing to decode a worm program that exploits a 2-week-old flaw to infect computers running vulnerable versions of the popular open-source Apache Web server application.

The worm is thought to be capable of spreading only to Web servers running the FreeBSD operating system, an open-source variant of Unix, that haven't had a patch applied for the recent flaw. Although few people have reported the worm, it is thought to be infecting vulnerable Web servers worldwide.

"It is spreading," said Domas Mituzas, a systems developer for Baltic information-technology firm Microlink Systems and the first to report the new worm. "It hit us from Poland, and the comments are in Italian, so it could be from any part of the world."

From his early analysis of the worm, the 19-year-old Lithuanian programmer believes it was designed to create a flood net--a collection of compromised servers that can be used in a denial-of-service attack to overwhelm a target with data.

While the initial advisory on the flaw, which was found by network security firm Internet Security Systems, said the Apache hole was exploitable only on the Windows version of Apache, a hacking team called Gobbles later claimed that the flaw could be exploited on all versions of the program. The team released exploits for Apache running on various versions of BSD to prove its point.

That probably helped the creator of the worm do the work, Mituzas said. "Otherwise, it would be really astonishing that someone had been able to write an exploit so fast," he said.

Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security and one of the key analysts of the Code Red worm, agreed that the Apache worm was creating a stable of servers, sometimes called zombies, for later use in an attack.

"It's definitely setting up its own flood net," Maiffret said, but he added that "something even more destructive" could have been included in the worm.

There are 10.4 million active Web sites running on the Apache server, according to British consulting firm Netcraft. While the fraction of those servers running on FreeBSD is a minor share of the BSD, Linux and Unix market, both Mituzas and Maiffret warned that whoever created the worm could modify it to attack Apache running on any version of BSD and potentially Linux, Solaris and Unix.

At present, if the Apache worm tries to spread to any non-FreeBSD system, it will likely crash the session on the server to which the worm had connected. That's not so bad, said Maiffret, but it could cause many servers to crash if the worm develops into an epidemic.

"If the worm keeps hitting you, then it will keep dropping sessions, and it will be similar to a denial-of-service attack," Maiffret said.

The worm does not yet have a name.
Click to expand...

You can find the article here: http://news.com.com/2100-1001-940585.html

-javacool

Gobo · Jun 29, 2002

Please read below post.
Scusi prego il mio inglese difficile.

Pieter_Arntz · Jun 29, 2002

Gobo,

I´m afraid you forgot to post your link.

Regards,

Pieter

Paul Wilders · Jun 29, 2002

Pieter,

Gobo is referring to this post:

www.wilderssecurity.com/showthread.php?t=2093

Because of the fact, the complete source code is available for everyone, I disabled the URL provided by Gobo - for good reasons. Apart from the fact it's against our TOS, we do not encourage publishing malware source codes; they can - and will be used.

scusi, Gobo. Your English is just OK, btw

regards.

paul

javacool · Jun 29, 2002

Aah. Apologies for not noticing that other post.

-javacool

javacool · Jun 29, 2002

Symantec has named this: FreeBSD.Scalper.Worm

Information is available here (sections are quoted below): http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html

[hr]

FreeBSD.Scalper.Worm
Discovered on: June 28, 2002
Last Updated on: June 28, 2002 06:45:36 PM PDT

This worm uses the Apache HTTP Server chunk encoding stack overflow vulnerability to spread itself. Currently it has only been confirmed that this worm works on the FreeBSD platform.

FreeBSD is an advanced operating system for Intel ia32 compatible, DEC Alpha, and PC-98 architectures. It is derived from BSD UNIX, the version of UNIX developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals.

This worm has received some media coverage but we believe it is currently not prevalent in the wild. So far, we have not received any customer reports of this worm. For information regarding the vulnerability, please refer to the following document:

http://securityresponse.symantec.com/avcenter/security/Content/2049.html

Type: Worm
Infection Length: 51,626 bytes,
Infection Length: 51,199 bytes
Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh
CVE References: CVE CAN-2002-0392

<SNIP>
[hr]

Damage

Payload: Performs TCP, UDP, DNS, and E-mail flooding

Large scale e-mailing: Contains the functionality to sent e-mail spam to all e-mail addresses found on the infected machines

Degrades performance: performs many port 80 requests which could cause internet degradation

Releases confidential info: allows unauthorized access to the infect machine

Compromises security settings: allows unauthorized access to the infect machine

Distribution

Ports: 2001

Target of infection: unpatched Apache Webservers on the FreeBSD operating system

<SNIP>
Click to expand...

-javacool

javacool · Jun 29, 2002

Symantec provides technical details on this worm:

The worm will attempt to locate vulnerable machines on a set of IP class ranges hard-coded in the worm. An example of an IP class range would be 55.xxx.xxx.xxx. The only hard coded value is the first element in the IP, the second element is randomly generated, and the third and fourth elements are scanned incrementally.

It will send a port 80 HTTP GET request to all IP addresses and when it finds an Apache server it will attempt to user the Apache HTTP Server chunk encoding overflow vulnerability to execute a remote shell command and simulate a handshake between the infected machine and the vulnerable machine.

The worm will send itself in UUEncoded form to the remote machine as the file "/tmp/.uua" and then will decode and executes "/tmp/.a" after setting "/tmp/.a" executable. The worm also kills all previously installed copies of the worm on the vulnerable machine.

Upon execution the worm will open UDP port 2001 to listen for remote instructions. These remote instructions will perform one of the following functions:

Collect e-mail addresses from the infected machine
View Webpages
Send e-mail messages(spam)
TCP, UDP, DNS Flooding
Execution of shell commands
other Denial Of Service functions.

NOTE: Currently Symantec has identified 2 variants of this worm.
Click to expand...

-javacool

Gobo · Jun 29, 2002

I am sorry you delete the link, I make the source avaliable so people can learn from it. In coming days I will add infection code for GNU/Linux and other BSD and UNIX systems. Please know that I NEVER compiled this worm outside of my secure network, if others do that then I feel sad, but it happens. I just hope to make the internet a safer place for people by making ISPs and hosts more responsibel (??) for there actions. I *never* cause harm or damage to anything, but there are always people who will.

Gobo · Jun 29, 2002

I like to add they call it scalper because Gobbles first make BSD exploit code because of the Indian Apache conection. They also make nose-job that affect open and net BSD too

Paul Wilders · Jun 29, 2002

Gobo,

I am sorry you delete the link, I make the source avaliable so people can learn from it.
Click to expand...

I'm sure that's your intention.

Please know that I NEVER compiled this worm outside of my secure network
Click to expand...

I have no reason to doubt your good intentions.

if others do that then I feel sad, but it happens.
Click to expand...

As you know, they will. That's exactly the reason why I disabled the URL you provided.

I just hope to make the internet a safer place for people by making ISPs and hosts more responsibel (??) for there actions. I *never* cause harm or damage to anything
Click to expand...

A noble and fine atttitude!

but there are always people who will.
Click to expand...

Amen to that!

regards,

paul

Gobo · Jun 29, 2002

I know you have reasons to stop people seeing the code, and that I broke your rules, I am sorry about that. Anyway, I go to bed now , 3 days without sleep make me tired

Paul Wilders · Jun 29, 2002

Sleep well!

regards,

paul

Log in or Sign up

New Apache worm starts to spread

javacool BrightFort Moderator

Gobo Guest

Pieter_Arntz Spyware Veteran

Paul Wilders Administrator

javacool BrightFort Moderator

javacool BrightFort Moderator

javacool BrightFort Moderator

Gobo Guest

Gobo Guest

Paul Wilders Administrator

Gobo Guest

Paul Wilders Administrator

Log in or Sign up

New Apache worm starts to spread

javacool BrightFort Moderator

Gobo Guest

Pieter_Arntz Spyware Veteran

Paul Wilders Administrator

javacool BrightFort Moderator

javacool BrightFort Moderator

javacool BrightFort Moderator

Gobo Guest

Gobo Guest

Paul Wilders Administrator

Gobo Guest

Paul Wilders Administrator

Useful Searches