Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: new linux malware
From: Marco Monicelli <marco.monicelli () marcegaglia com>
Date: Mon, 20 Feb 2006 17:24:21 +0100

Dear Gadi,

this malware looks like the famous Kaiten IRC bot. If you want, I can send
the source code of it but it is already known by most of AVs and I think
the source is public nowadays. This must be just another variant and
bytheway it's detected as far as I can see from your quoted informations so
it shouldn't be dangerous.

Anyway, tnx for keeping us updated!

Cheers

Marco





                                                                           
             Gadi Evron                                                    
             <ge () linuxbox org>                                             
                                                                        To 
             18/02/2006 23.40          bugtraq () securityfocus com           
                                                                        cc 
                                       "full-disclosure () lists grok org uk" 
                                       <full-disclosure () lists grok org uk> 
                                                                   Subject 
                                       new linux malware                   
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Today, we received a notification about a new Linux malware ItW (In the
Wild).

Chas Tomlin (http://www.ecs.soton.ac.uk/~cet/) provided Shadowserver
(http://www.shadowserver.org/) and Nicholas Alright who notified the
relevant operational communities, with the information on the binaries.
He captured them with squil (http://sguil.sourceforge.net/).

Chas is working with Shadowserver to identify better ways to
trackdown/takedown botnets.

*The credit should go to him and Shadowserver*.

Shadowserver has been a responsible and essential part of recent
Internet security activities.

As anti virus vendors have been notified will soon do a write-up on it,
I see no reason not to publicize it here.

MD5:
c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq
e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session

We are not quite sure as of yet exactly what this does, it can be a
Linux virus, a Linux Trojan horse, a Linux worm... we are not even sure
if the checksums above are useful at all. We hope to know more soon and
we will update as we do.

There are some interesting strings to be noted:

NOTICE %s :TSUNAMI <target> <secs>                          = Special
packeter
that wont be blocked by most firewalls
NOTICE %s :PAN <target> <port> <secs>                       = An
advanced syn
flooder that will kill most network drivers
NOTICE %s :UDP <target> <port> <secs>                       = A udp flooder
NOTICE %s :UNKNOWN <target> <secs>                          = Another
non-spoof udp flooder
NOTICE %s :NICK <nick>                                      = Changes
the nick
of the client
NOTICE %s :SERVER <server>                                  = Changes
servers
NOTICE %s :GETSPOOFS                                        = Gets the
current
spoofing
NOTICE %s :SPOOFS <subnet>                                  = Changes
spoofing
to a subnet
NOTICE %s :DISABLE                                          = Disables all
packeting from this client
NOTICE %s :ENABLE                                           = Enables all
packeting from this client
NOTICE %s :KILL                                             = Kills the
client
NOTICE %s :GET <http address> <save as>                     = Downloads
a file
off the web and saves it onto the hd
NOTICE %s :VERSION                                          = Requests
version
of client
NOTICE %s :KILLALL                                          = Kills all
current packeting
NOTICE %s :HELP                                             = Displays this
NOTICE %s :IRC <command>                                    = Sends this
command to the server
NOTICE %s :SH <command>                                     = Executes a
command

'session', current detection:
AntiVir            6.33.1.50/20060218            found [BDS/Katien.R]
Avast        4.6.695.0/20060216            found nothing
AVG          718/20060217            found nothing
Avira        6.33.1.50/20060218            found [BDS/Katien.R]
BitDefender        7.2/20060218            found nothing
CAT-QuickHeal            8.00/20060216           found nothing
ClamAV             devel-20060126/20060217             found nothing
DrWeb         4.33/20060218          found nothing
eTrust-InoculateIT             23.71.80/20060218             found nothing
eTrust-Vet         12.4.2086/20060217            found nothing
Ewido        3.5/20060218            found nothing
Fortinet           2.69.0.0/20060218             found nothing
F-Prot             3.16c/20060217          found nothing
Ikarus             0.2.59.0/20060217             found
[Backdoor.Linux.Keitan.C]
Kaspersky          4.0.2.24/20060218             found
[Backdoor.Linux.Keitan.c]
McAfee             4700/20060217           found [Linux/DDoS-Kaiten]
NOD32v2            1.1413/20060217         found nothing
Norman             5.70.10/20060217        found nothing
Panda        9.0.0.4/20060218        found nothing
Sophos             4.02.0/20060218         found nothing
Symantec           8.0/20060218            found [Backdoor.Kaitex]
TheHacker          5.9.4.098/20060218            found nothing
UNA          1.83/20060216           found nothing
VBA32        3.10.5/20060217         found nothing

'derfiq' current detection:
AntiVir            6.33.1.50/20060218            found
[Worm/Linux.Lupper.B]
Avast        4.6.695.0/20060216            found nothing
AVG          718/20060217            found nothing
Avira        6.33.1.50/20060218            found [Worm/Linux.Lupper.B]
BitDefender        7.2/20060218            found nothing
CAT-QuickHeal            8.00/20060216           found nothing
ClamAV             devel-20060126/20060217             found nothing
DrWeb         4.33/20060218          found nothing
eTrust-InoculateIT             23.71.80/20060218             found nothing
eTrust-Vet         12.4.2086/20060217            found nothing
Ewido        3.5/20060218            found nothing
Fortinet           2.69.0.0/20060218             found nothing
F-Prot             3.16c/20060217          found nothing
Ikarus             0.2.59.0/20060217             found
[Net-Worm.Linux.Lupper.B]
Kaspersky          4.0.2.24/20060218             found nothing
McAfee             4700/20060217           found nothing
NOD32v2            1.1413/20060217         found nothing
Norman             5.70.10/20060217        found nothing
Panda        9.0.0.4/20060218        found nothing
Sophos             4.02.0/20060218         found nothing
Symantec           8.0/20060218            found [Hacktool]
TheHacker          5.9.4.098/20060218            found nothing
UNA          1.83/20060216           found nothing
VBA32        3.10.5/20060217         found nothing

This write-up can be found here:
http://blogs.securiteam.com/index.php/archives/303

We will notify as we get new updates here:
http://blogs.securiteam.com

             Gadi.

--
http://blogs.securiteam.com/

"Out of the box is where I live".
             -- Cara "Starbuck" Thrace, Battlestar Galactica.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]