Bugtraq mailing list archives

new linux malware

From: Gadi Evron <ge () linuxbox org>
Date: Sun, 19 Feb 2006 00:40:18 +0200

Today, we received a notification about a new Linux malware ItW (In theWild).

Chas Tomlin (http://www.ecs.soton.ac.uk/~cet/) provided Shadowserver(http://www.shadowserver.org/) and Nicholas Alright who notified therelevant operational communities, with the information on the binaries.He captured them with squil (http://sguil.sourceforge.net/).

Chas is working with Shadowserver to identify better ways totrackdown/takedown botnets.


*The credit should go to him and Shadowserver*.

Shadowserver has been a responsible and essential part of recentInternet security activities.

As anti virus vendors have been notified will soon do a write-up on it,I see no reason not to publicize it here.


MD5:
c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq
e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session

We are not quite sure as of yet exactly what this does, it can be aLinux virus, a Linux Trojan horse, a Linux worm... we are not even sureif the checksums above are useful at all. We hope to know more soon andwe will update as we do.


There are some interesting strings to be noted:

NOTICE %s :TSUNAMI <target> <secs> = Specialpacketer

that wont be blocked by most firewalls

NOTICE %s :PAN <target> <port> <secs> = Anadvanced syn

flooder that will kill most network drivers
NOTICE %s :UDP <target> <port> <secs>                       = A udp flooder
NOTICE %s :UNKNOWN <target> <secs>                          = Another
non-spoof udp flooder

NOTICE %s :NICK <nick> = Changesthe nick

of the client

NOTICE %s :SERVER <server> = ChangesserversNOTICE %s :GETSPOOFS = Gets thecurrent

spoofing

NOTICE %s :SPOOFS <subnet> = Changesspoofing

to a subnet
NOTICE %s :DISABLE                                          = Disables all
packeting from this client
NOTICE %s :ENABLE                                           = Enables all
packeting from this client

NOTICE %s :KILL = Kills theclientNOTICE %s :GET <http address> <save as> = Downloadsa file

off the web and saves it onto the hd

NOTICE %s :VERSION = Requestsversion

of client
NOTICE %s :KILLALL                                          = Kills all
current packeting
NOTICE %s :HELP                                             = Displays this
NOTICE %s :IRC <command>                                    = Sends this
command to the server
NOTICE %s :SH <command>                                     = Executes a
command

'session', current detection:
AntiVir 6.33.1.50/20060218      found [BDS/Katien.R]
Avast   4.6.695.0/20060216      found nothing
AVG     718/20060217    found nothing
Avira   6.33.1.50/20060218      found [BDS/Katien.R]
BitDefender     7.2/20060218    found nothing
CAT-QuickHeal   8.00/20060216   found nothing
ClamAV  devel-20060126/20060217 found nothing
DrWeb    4.33/20060218  found nothing
eTrust-InoculateIT      23.71.80/20060218       found nothing
eTrust-Vet      12.4.2086/20060217      found nothing
Ewido   3.5/20060218    found nothing
Fortinet        2.69.0.0/20060218       found nothing
F-Prot  3.16c/20060217  found nothing
Ikarus  0.2.59.0/20060217       found [Backdoor.Linux.Keitan.C]
Kaspersky       4.0.2.24/20060218       found [Backdoor.Linux.Keitan.c]
McAfee  4700/20060217   found [Linux/DDoS-Kaiten]
NOD32v2 1.1413/20060217 found nothing
Norman  5.70.10/20060217        found nothing
Panda   9.0.0.4/20060218        found nothing
Sophos  4.02.0/20060218 found nothing
Symantec        8.0/20060218    found [Backdoor.Kaitex]
TheHacker       5.9.4.098/20060218      found nothing
UNA     1.83/20060216   found nothing
VBA32   3.10.5/20060217 found nothing

'derfiq' current detection:
AntiVir 6.33.1.50/20060218      found [Worm/Linux.Lupper.B]
Avast   4.6.695.0/20060216      found nothing
AVG     718/20060217    found nothing
Avira   6.33.1.50/20060218      found [Worm/Linux.Lupper.B]
BitDefender     7.2/20060218    found nothing
CAT-QuickHeal   8.00/20060216   found nothing
ClamAV  devel-20060126/20060217 found nothing
DrWeb    4.33/20060218  found nothing
eTrust-InoculateIT      23.71.80/20060218       found nothing
eTrust-Vet      12.4.2086/20060217      found nothing
Ewido   3.5/20060218    found nothing
Fortinet        2.69.0.0/20060218       found nothing
F-Prot  3.16c/20060217  found nothing
Ikarus  0.2.59.0/20060217       found [Net-Worm.Linux.Lupper.B]
Kaspersky       4.0.2.24/20060218       found nothing
McAfee  4700/20060217   found nothing
NOD32v2 1.1413/20060217 found nothing
Norman  5.70.10/20060217        found nothing
Panda   9.0.0.4/20060218        found nothing
Sophos  4.02.0/20060218 found nothing
Symantec        8.0/20060218    found [Hacktool]
TheHacker       5.9.4.098/20060218      found nothing
UNA     1.83/20060216   found nothing
VBA32   3.10.5/20060217 found nothing

This write-up can be found here:
http://blogs.securiteam.com/index.php/archives/303

We will notify as we get new updates here:
http://blogs.securiteam.com

        Gadi.

--
http://blogs.securiteam.com/

"Out of the box is where I live".
        -- Cara "Starbuck" Thrace, Battlestar Galactica.

Current thread:

new linux malware Gadi Evron (Feb 20)
- Re: new linux malware Christine Kronberg (Feb 21)
  - PHP as a secure language? PHP worms? [was: Re: new linux malware] Gadi Evron (Feb 22)
    - Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Christine Kronberg (Feb 21)
    - Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Thomas M. Payerle (Feb 26)
    - Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Kevin Waterson (Feb 24)
    - Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jamie Riden (Feb 26)
    - Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Matthew Schiros (Feb 26)
- Re: new linux malware Marco Monicelli (Feb 21)
  - Re: new linux malware Gadi Evron (Feb 22)
    - Re: new linux malware Jamie Riden (Feb 23)