HOME > VIRUS ALERTS


   VIRUS ALERTS

Net-Worm.Linux.Mare.d

Original issue date: February 22, 2006

A new variant of Linux/Lupper Worm is spreading in wild by exploiting vulnerabilities in the Mambo content management system and the PHP XML-RPC library (described in CERT-In Vulnerability Note CIVN-2005-61 ) . The worm propagates by scanning random ports on hosts with vulnerable installation of Mambo content management system and the PHP XML-RPC.

The worm has aliases such as Linux.Plupii.C (Symantec), Unix/ShellBot.C, ELF_LUPPER.F (Trend Micro), Mare.D (F-Secure)

Upon execution

  • The worm opens multiple backdoors on the affected system. It opens an IRC controlled backdoor on UDP port 27015 to listen for the commands from the remote attacker.
  • Generates random IP addresses to build URLs including the following strings to access the vulnerable systems.
    • /cvs/
    • /articles/mambo/
    • /cvs/mambo/
    • /blog/xmlrpc.php
    • /blog/xmlsrv/xmlrpc.php
    • /blogs/xmlsrv/xmlrpc.php
    • /drupal/xmlrpc.php
    • /phpgroupware/xmlrpc.php
    • /wordpress/xmlrpc.php
    • /xmlrpc/xmlrpc.php

  • The worm exploites many vulnerabilities including:

    • The XML-RPC for PHP Remote Code Injection vulnerability (described in Bugtraq ID 14088 )
    • The AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (described in Bugtraq ID 10950 )
    • The Darryl Burgdorf Webhints Remote Command Execution Vulnerability (described in Bugtraq ID 13930 )

to send the http request to the above generated url's.

  • It downloads a small shell script by connecting to the website [http://]198.170.105.69/[REMOVED] that further downloads the following files in the Temporary folder /temp/.temp

    • cb - connectback shell backdoor that infects ELF files
    • https - a perl script with IRC back door functionality
    • ping.txt - a perl script that is a reverse shell back door
    • httpd - ELF file detected as main worm component

Suggested Actions:

In view of impact of similar earlier worm, the system administrators and users are advised to

  • turn off unwanted remote services
  • install latest patches/updates on the server and concerned applications
  • Update the Anti Virus software.

For further details refer to the following URLs:

References

http://www.f-secure.com/v-descs/mare_d.shtml#details
http://www.f-secure.com/weblog/archives/archive-022006.html http://symantec.com/avcenter/venc/data/linux.plupii.c.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=ELF%5FLUPPER%2EF http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=PERL%5FSHELLBOT%2EAI http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=UNIX%5FMARE%2ED http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=ELF%5FMARE%2EC
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-
2005-1921
http://www.hardened-php.net/advisory_152005.67.html
http://awstats.sourceforge.net/#DOWNLOAD http://mamboforge.net/frs/?group_id=5 http://secunia.com/advisories/14337/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003