SecurityFocus

new linux malware Feb 18 2006 10:40PM
Gadi Evron (ge linuxbox org) (2 replies)

Re: new linux malware Feb 20 2006 04:57PM
Christine Kronberg (Christine_Kronberg genua de) (1 replies)

PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 20 2006 08:22PM
Gadi Evron (ge linuxbox org) (2 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Dec 30 2006 10:00PM
Kevin Waterson (kevin oceania net) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 05:53PM
Bill Nash (billn billn net) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:00PM
Tino Wildenhain (tino wildenhain de) (1 replies)

RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 09:31PM
Jim Harrison (Jim isatools org) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 01 2007 10:37PM
Dana Hudes (dhudes hudes org) (1 replies)

RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 12:02AM
Jim Harrison (Jim isatools org) (2 replies)

Re: PHP as a secure language? PHP worms? Jan 02 2007 12:01PM
Duncan Simpson (dps simpson demon co uk) (1 replies)

RE: PHP as a secure language? PHP worms? Jan 02 2007 02:17PM
Jim Harrison (Jim isatools org)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 10:58AM
Darren Reed (avalon caligula anu edu au) (2 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 03:16PM
Dana Hudes (dhudes hudes org) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:48PM
Lawrence Paul MacIntyre (macintyrelp ornl gov)

RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 02:15PM
Jim Harrison (Jim isatools org) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 06:37PM
Darren Reed (avalon caligula anu edu au) (3 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 03 2007 05:16AM
Ronald Chmara (ron Opus1 COM) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 04 2007 08:59PM
Jim Manico (jim manico net)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 09:07PM
Bill Nash (billn billn net)

RE: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jan 02 2007 07:18PM
Jim Harrison (Jim isatools org)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 22 2006 10:48AM
Kevin Waterson (kevin oceania net) (2 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:13PM
Matthew Schiros (schiros gmail com) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:26PM
L. Adrian Griffis (agriffis dstsystems com) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 03:50PM
Matthew Schiros (schiros gmail com) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 04:21PM
L. Adrian Griffis (agriffis dstsystems com) (1 replies)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 27 2006 05:55PM
Matthew Schiros (schiros gmail com)

Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Feb 24 2006 09:07PM
Jamie Riden (jamie riden gmail com)

Re: new linux malware Feb 20 2006 04:24PM
Marco Monicelli (marco monicelli marcegaglia com) (1 replies)

Dear Gadi,

this malware looks like the famous Kaiten IRC bot. If you want, I can send
the source code of it but it is already known by most of AVs and I think
the source is public nowadays. This must be just another variant and
bytheway it's detected as far as I can see from your quoted informations so
it shouldn't be dangerous.

Anyway, tnx for keeping us updated!

Cheers

Marco

Gadi Evron
<ge (at) linuxbox (dot) org [email concealed]>
To
18/02/2006 23.40 bugtraq (at) securityfocus (dot) com [email concealed]
cc
"full-disclosure (at) lists.grok.org (dot) uk [email concealed]"
<full-disclosure (at) lists.grok.org (dot) uk [email concealed]>
Subject
new linux malware

Today, we received a notification about a new Linux malware ItW (In the
Wild).

Chas Tomlin (http://www.ecs.soton.ac.uk/~cet/) provided Shadowserver
(http://www.shadowserver.org/) and Nicholas Alright who notified the
relevant operational communities, with the information on the binaries.
He captured them with squil (http://sguil.sourceforge.net/).

Chas is working with Shadowserver to identify better ways to
trackdown/takedown botnets.

*The credit should go to him and Shadowserver*.

Shadowserver has been a responsible and essential part of recent
Internet security activities.

As anti virus vendors have been notified will soon do a write-up on it,
I see no reason not to publicize it here.

MD5:
c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq
e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session

We are not quite sure as of yet exactly what this does, it can be a
Linux virus, a Linux Trojan horse, a Linux worm... we are not even sure
if the checksums above are useful at all. We hope to know more soon and
we will update as we do.

There are some interesting strings to be noted:

NOTICE %s :TSUNAMI <target> <secs> = Special
packeter
that wont be blocked by most firewalls
NOTICE %s :PAN <target> <port> <secs> = An
advanced syn
flooder that will kill most network drivers
NOTICE %s :UDP <target> <port> <secs> = A udp flooder
NOTICE %s :UNKNOWN <target> <secs> = Another
non-spoof udp flooder
NOTICE %s :NICK <nick> = Changes
the nick
of the client
NOTICE %s :SERVER <server> = Changes
servers
NOTICE %s :GETSPOOFS = Gets the
current
spoofing
NOTICE %s :SPOOFS <subnet> = Changes
spoofing
to a subnet
NOTICE %s :DISABLE = Disables all
packeting from this client
NOTICE %s :ENABLE = Enables all
packeting from this client
NOTICE %s :KILL = Kills the
client
NOTICE %s :GET <http address> <save as> = Downloads
a file
off the web and saves it onto the hd
NOTICE %s :VERSION = Requests
version
of client
NOTICE %s :KILLALL = Kills all
current packeting
NOTICE %s :HELP = Displays this
NOTICE %s :IRC <command> = Sends this
command to the server
NOTICE %s :SH <command> = Executes a
command

'session', current detection:
AntiVir 6.33.1.50/20060218 found [BDS/Katien.R]
Avast 4.6.695.0/20060216 found nothing
AVG 718/20060217 found nothing
Avira 6.33.1.50/20060218 found [BDS/Katien.R]
BitDefender 7.2/20060218 found nothing
CAT-QuickHeal 8.00/20060216 found nothing
ClamAV devel-20060126/20060217 found nothing
DrWeb 4.33/20060218 found nothing
eTrust-InoculateIT 23.71.80/20060218 found nothing
eTrust-Vet 12.4.2086/20060217 found nothing
Ewido 3.5/20060218 found nothing
Fortinet 2.69.0.0/20060218 found nothing
F-Prot 3.16c/20060217 found nothing
Ikarus 0.2.59.0/20060217 found
[Backdoor.Linux.Keitan.C]
Kaspersky 4.0.2.24/20060218 found
[Backdoor.Linux.Keitan.c]
McAfee 4700/20060217 found [Linux/DDoS-Kaiten]
NOD32v2 1.1413/20060217 found nothing
Norman 5.70.10/20060217 found nothing
Panda 9.0.0.4/20060218 found nothing
Sophos 4.02.0/20060218 found nothing
Symantec 8.0/20060218 found [Backdoor.Kaitex]
TheHacker 5.9.4.098/20060218 found nothing
UNA 1.83/20060216 found nothing
VBA32 3.10.5/20060217 found nothing

'derfiq' current detection:
AntiVir 6.33.1.50/20060218 found
[Worm/Linux.Lupper.B]
Avast 4.6.695.0/20060216 found nothing
AVG 718/20060217 found nothing
Avira 6.33.1.50/20060218 found [Worm/Linux.Lupper.B]
BitDefender 7.2/20060218 found nothing
CAT-QuickHeal 8.00/20060216 found nothing
ClamAV devel-20060126/20060217 found nothing
DrWeb 4.33/20060218 found nothing
eTrust-InoculateIT 23.71.80/20060218 found nothing
eTrust-Vet 12.4.2086/20060217 found nothing
Ewido 3.5/20060218 found nothing
Fortinet 2.69.0.0/20060218 found nothing
F-Prot 3.16c/20060217 found nothing
Ikarus 0.2.59.0/20060217 found
[Net-Worm.Linux.Lupper.B]
Kaspersky 4.0.2.24/20060218 found nothing
McAfee 4700/20060217 found nothing
NOD32v2 1.1413/20060217 found nothing
Norman 5.70.10/20060217 found nothing
Panda 9.0.0.4/20060218 found nothing
Sophos 4.02.0/20060218 found nothing
Symantec 8.0/20060218 found [Hacktool]
TheHacker 5.9.4.098/20060218 found nothing
UNA 1.83/20060216 found nothing
VBA32 3.10.5/20060217 found nothing

This write-up can be found here:
http://blogs.securiteam.com/index.php/archives/303

We will notify as we get new updates here:
http://blogs.securiteam.com

Gadi.

--
http://blogs.securiteam.com/

"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.

[ reply ]

Re: new linux malware Feb 20 2006 07:58PM
Gadi Evron (ge linuxbox org) (1 replies)

Re: new linux malware Feb 22 2006 08:00PM
Jamie Riden (jamie riden gmail com)