Trend Micro Virus Alert: ELF_LUPPER.A & B

Discussion in 'malware problems & news' started by Randy_Bell, Nov 12, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Worms Create their own Bot Network - ELF_LUPPER.A & ELF_LUPPER B (Low Risk)

    Earlier this week, researchers at antivirus and content security firm Trend Micro warned users to remain extra vigilant regarding the patching of systems, following the recent family of worms which targeted the Linux operating system. ELF_LUPPER.A and ELF_LUPPER.B, which were discovered at the beginning of the week, were built to exploit vulnerabilities in certain web applications, rather than anything inherent in the Linux kernel. Though the worms were compiled to attack Linux, it is important to note that the source code could potentially be recompiled for other systems that are related to Linux.

    According to Ivan Macalintal, Senior Threat Analyst at Trend Micro, both worms utilized the same set of vulnerabilities, especially the XML-RPC which was first made public on June 27, 2005. The corresponding exploits to these vulnerabilities were posted a month later to a well-known public Web site for viewing and posting new exploits. Macalintal adds that these were network worms, capable of self-propagation, with no interaction from the user necessary.

    “These network worms exploited vulnerabilities that enabled them to stealthily connect to a Web site, where they could download and execute copies of themselves to a victim’s system” says Macalintal. “The worms focused on building their own bot network, which can give the writer more information that could be utilized to launch a larger attack in the future.”

    Both worms utilized the base code of the Linux Slapper worm, which was discovered in September, 2002. The writer(s) of the ELF_LUPPER worms removed the SSL exploit, replacing it with two known vulnerabilities – AWStat and XML-RPC. These worms are believed to be related to a hacker tool, HKTL_CALLBACK, discovered November 3, 2005. According to Trend Micro analyses, the probable purpose of the hack tool was to bypass victims’ firewalls and surreptitiously collect information to aid the worm attacks.

    Macalintal advises users to ensure their systems contain the most recent security patches and to remain vigilant, regardless of which operating system they use. “It’s important to remember that this is open source, so it may be relatively easy to supplement the current malware with additional exploit code, capabilities, etc., thereby generating future variants”.

    Even though Linux is still second to Windows, with regards to customer usage, users are strongly advised to be aware of the security issues concerning their systems. Security experts at Trend Micro added that this attack is really just an example that nearly every system has vulnerabilities, and that users should remain vigilant at all times, irrelevant of their OS.

    Security experts at Trend Micro recommend that users take the following measures to protect against the ELF_LUPPER family of worms as well as other attacks:

    * Ensure your system is patched with the most current system update
    * Ensure your antivirus definitions are updated
    * Existing Trend Micro customers can utilize the network virus wall and vulnerability assessment modules*, which are built into most of our products, to help keep their system updated

    * The Network Viruswall (NVW) pattern stops this worm from spreading throughout the network and infecting other machines. A network that is protected by the NVW pattern is assured that any presence of the code at the network layer is immediately filtered out before it causes any damage.

    The Vulnerability Assessment (VA) pattern detects all machines in the network that have not been patched against the vulnerability exploited by these worms. This enables system administrators to be notified immediately of machines that require protection and to take necessary actions to assure that damage is not magnified on a network-wide scale.

    If you would like to scan your computer for ELF_LUPPER.A and ELF_LUPPER.B, or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at:

    For additional information about ELF_LUPPER.A and ELF_LUPPER.B please visit: and
Thread Status:
Not open for further replies.