Port 443: Slapper-D Update, 4th variant discovered

Discussion in 'malware problems & news' started by CalamityJane, Sep 30, 2002.

Thread Status:
Not open for further replies.
  1. CalamityJane

    CalamityJane Registered Member

    Sep 29, 2002
    Central Florida
    This just up at the Internet Storm Center, explains the increase in port 443 probes this weekend.
    Slapper-D update:
    A 4th variant of the 'Slapper' worm has been discovered.

    When an exploitable system is discovered, the first piece of the worm sent over thru the SSL vulnerability is a script file called '/tmp/script.sh'. The shell script is executed and tries to do the following:

    IRC Bot
    1A) Retrieve a compressed file 'k.gz' from the web server
    1B) Uncompress 'k.gz' and execute the resulting '/tmp/k' file which appears to be a modified version of the Kaiten IRCbot.
    1C) Once '/tmp/k' is running, remove the executable.

    IMPORTANT NOTE: The k.gz file on the web server has been updated at least once. In one version, the IRCbot tries to connect to 'irc.zyclonicz.net' on the channel '#devnull'. In another version, it tries to connect to either 'adventice.com' or 'ns1.adventice.net' on the channel '#hacked'.

    Network Scanner / Worm Spread
    2A) Check for presence of gcc compiler on system. If the compiler is not found, remove the '/tmp/script.sh' file and quit.
    2B) If compiler is found, create a new directory '/tmp/.socket2', goto that directory and retrieve a compressed tar archive 'devnull.tgz' from the same web server mentioned above.
    2C) Extract the 'devnull' executable and the 'sslx.c' source code from the compressed tar archive and then delete the archive file.
    2D) Compile the 'sslx.c' source code to create 'sslx' executable.
    2E) If unable to compile the 'sslx' execuatble (due to lack of -lcrypto library) delete the 'sslx.c', 'devnull' and 'script.sh' files and exit.
    2F) If able to compile 'sslx', run 'devnull' and then delete 'script.sh'

    The 'devnull' executable is a scanner which selects a random /16 network and scans the entire network looking for SSL web server listening on TCP port 443. If one is found, 'devnull' calls the 'sslx' exploit code to infect it to continue the spread. After 'devnull' completes a scan of the selected /16 network, it selects a new /16 and repeats the process.


    1) Same as existing recommendations for Slapper worm.
    2) Block outgoing web access to
    3) Block all outgoing IRC access if possible. If total blocking is not possible, block IRC access to 'irc.zycloncz.net', 'adventice.com' and 'ns1.adventice.net'
    4) Apply vendor patches for SSL vulnerability AS SOON AS POSSIBLE.

    Please direct comments/questions to the author:
    David Goldsmith dgoldsmith@sans.org

    Also posted at DSLReports:

    Note from FanJ: I fixed the link to DSLR
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.