Port 443: Slapper-D Update, 4th variant discovered

Discussion in 'malware problems & news' started by CalamityJane, Sep 30, 2002.

Thread Status:
Not open for further replies.
  1. CalamityJane
    Offline

    CalamityJane Registered Member

    This just up at the Internet Storm Center, explains the increase in port 443 probes this weekend.
    http://isc.incidents.org/
    Slapper-D update:
    A 4th variant of the 'Slapper' worm has been discovered.

    When an exploitable system is discovered, the first piece of the worm sent over thru the SSL vulnerability is a script file called '/tmp/script.sh'. The shell script is executed and tries to do the following:

    IRC Bot
    1A) Retrieve a compressed file 'k.gz' from the web server 133.9.187.227.
    1B) Uncompress 'k.gz' and execute the resulting '/tmp/k' file which appears to be a modified version of the Kaiten IRCbot.
    1C) Once '/tmp/k' is running, remove the executable.

    IMPORTANT NOTE: The k.gz file on the web server has been updated at least once. In one version, the IRCbot tries to connect to 'irc.zyclonicz.net' on the channel '#devnull'. In another version, it tries to connect to either 'adventice.com' or 'ns1.adventice.net' on the channel '#hacked'.

    Network Scanner / Worm Spread
    2A) Check for presence of gcc compiler on system. If the compiler is not found, remove the '/tmp/script.sh' file and quit.
    2B) If compiler is found, create a new directory '/tmp/.socket2', goto that directory and retrieve a compressed tar archive 'devnull.tgz' from the same web server mentioned above.
    2C) Extract the 'devnull' executable and the 'sslx.c' source code from the compressed tar archive and then delete the archive file.
    2D) Compile the 'sslx.c' source code to create 'sslx' executable.
    2E) If unable to compile the 'sslx' execuatble (due to lack of -lcrypto library) delete the 'sslx.c', 'devnull' and 'script.sh' files and exit.
    2F) If able to compile 'sslx', run 'devnull' and then delete 'script.sh'

    The 'devnull' executable is a scanner which selects a random /16 network and scans the entire network looking for SSL web server listening on TCP port 443. If one is found, 'devnull' calls the 'sslx' exploit code to infect it to continue the spread. After 'devnull' completes a scan of the selected /16 network, it selects a new /16 and repeats the process.

    Recommendations:

    1) Same as existing recommendations for Slapper worm.
    2) Block outgoing web access to 133.9.187.227
    3) Block all outgoing IRC access if possible. If total blocking is not possible, block IRC access to 'irc.zycloncz.net', 'adventice.com' and 'ns1.adventice.net'
    4) Apply vendor patches for SSL vulnerability AS SOON AS POSSIBLE.

    Please direct comments/questions to the author:
    David Goldsmith dgoldsmith@sans.org

    Also posted at DSLReports:
    http://www.dslreports.com/forum/remark,4571499~root=security,1~mode=flat


    Note from FanJ: I fixed the link to DSLR
Thread Status:
Not open for further replies.