McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Linux/Devnull

• Linux/Kaiten

• Linux/Mighty

Characteristics

The Linux/Slapper.d worm is based upon the original Linux/Slapper.a.worm exploit code. The worm is using a shell script to download files from a certain webserver.

The worm downloads a file called "k.gz" and tries to decompress and run it. The extracted file "k" is an ELF binary file. This file is detected upon as Linux/DDoS-Kaiten using the Dat-4227 or higher. See DDos/Kaiten for details.

Then the worm checks for presence of the "gcc" compiler on the local system and if found it creates a directory called .socket2 Next it downloads a compressed file called "devnull.tgz ". After decompressing two files are created: an ELF binary file called "devnull" and a source script file called "sslx.c" The sslx.c file gets compiled into an ElF binary "sslx". These files are detected upon as Linux/Slapper.worm using the Dat-4227 or higher.

So when active the worm uses the processes "k" , "devnull" and "sslx".

It can be controlled by IRC channels although the impact will probably be limited as the webserver it tries to download the files from is specific and unlike previous Linux/Slapper variants it doesn't build a virtual network so the risk of DDoS attacks is lower.

Symptoms

-Presence of k.gz , compressed, 15740 bytes

-Presence of k , elf binary , 37237 bytes

-Presence of /.socket/devnull.tgz , compressed, 13507 bytes

-Presence of /.socket/devnull , elf binary, 19050 bytes

-Presence of /.socket/sslx.c , source, 20265 bytes

-Presence of /.socket/sslx , elf binary , size variable

-Presence of script.sh , shell script , 471

Method of Infection

Removal

Detection is included in the specified DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

You need to inspect the contents of 'crontab' file and remove unwanted entries.

It is advisable to remove the C compiler from the server or restrict the access rights to the compiler. Disabling compilers on production systems is recommended as a good security practice.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:
Caldera
Debian
FreeBSD
Redhat
Sun
SuSe

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Linux/Devnull

• Linux/Kaiten

• Linux/Mighty

Characteristics

Characteristics -

The Linux/Slapper.d worm is based upon the original Linux/Slapper.a.worm exploit code. The worm is using a shell script to download files from a certain webserver.

The worm downloads a file called "k.gz" and tries to decompress and run it. The extracted file "k" is an ELF binary file. This file is detected upon as Linux/DDoS-Kaiten using the Dat-4227 or higher. See DDos/Kaiten for details.

Then the worm checks for presence of the "gcc" compiler on the local system and if found it creates a directory called .socket2 Next it downloads a compressed file called "devnull.tgz ". After decompressing two files are created: an ELF binary file called "devnull" and a source script file called "sslx.c" The sslx.c file gets compiled into an ElF binary "sslx". These files are detected upon as Linux/Slapper.worm using the Dat-4227 or higher.

So when active the worm uses the processes "k" , "devnull" and "sslx".

It can be controlled by IRC channels although the impact will probably be limited as the webserver it tries to download the files from is specific and unlike previous Linux/Slapper variants it doesn't build a virtual network so the risk of DDoS attacks is lower.

Symptoms

Symptoms -

-Presence of k.gz , compressed, 15740 bytes

-Presence of k , elf binary , 37237 bytes

-Presence of /.socket/devnull.tgz , compressed, 13507 bytes

-Presence of /.socket/devnull , elf binary, 19050 bytes

-Presence of /.socket/sslx.c , source, 20265 bytes

-Presence of /.socket/sslx , elf binary , size variable

-Presence of script.sh , shell script , 471

Method of Infection

Method of Infection -

Removal -

Removal -

Detection is included in the specified DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

You need to inspect the contents of 'crontab' file and remove unwanted entries.

It is advisable to remove the C compiler from the server or restrict the access rights to the compiler. Disabling compilers on production systems is recommended as a good security practice.

Administrators should regularly check for availability of important security updates/patches.

Recommended links:
Caldera
Debian
FreeBSD
Redhat
Sun
SuSe

Variants

Variants -

N/A