Mailing List Archive: Full Disclosure: Full-Disclosure

OpenSSL Worm ?

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

ka at khidr

Sep 13, 2002, 3:24 PM

Post #1 of 9 (112 views)
Permalink

OpenSSL Worm ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anybody got the source-code?

My God how I hate it to be dependent on those
Symantec wise guys. The worm is allready in
the wild but they won't publish it's code.
How important they are, geeeeeee !!!

Ka
- --
"On an evening such as this
it's hard to tell if I exist." Barenaked Ladies
http://www.khidr.net/users/ka/pgpkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9gmW572vu22ltWBERAv5FAJ9yMtAw49ZaGulL0RPQ0hRHDN0++wCffNw4
TXw1dPP05Gr+rawM+gG4FEw=
=2lxs
-----END PGP SIGNATURE-----

epic at hack3r

Sep 13, 2002, 4:02 PM

Post #2 of 9 (113 views)
Permalink

Re: OpenSSL Worm ? [In reply to]

Here is the apache one that is going around right now..

check for /tmp/.bugtraq and .bugtraq.c

http://dammit.lt/apache-worm/apache-worm.c

----- Original Message -----
From: "Ka" <ka [at] khidr>
To: <full-disclosure [at] lists>
Sent: Friday, September 13, 2002 4:24 PM
Subject: [Full-Disclosure] OpenSSL Worm ?

> WARNING: Unsanitized content follows.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Anybody got the source-code?
>
> My God how I hate it to be dependent on those
> Symantec wise guys. The worm is allready in
> the wild but they won't publish it's code.
> How important they are, geeeeeee !!!
>
> Ka
> - --
> "On an evening such as this
> it's hard to tell if I exist." Barenaked Ladies
> http://www.khidr.net/users/ka/pgpkey.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE9gmW572vu22ltWBERAv5FAJ9yMtAw49ZaGulL0RPQ0hRHDN0++wCffNw4
> TXw1dPP05Gr+rawM+gG4FEw=
> =2lxs
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

len at netsys

Sep 13, 2002, 4:39 PM

Post #3 of 9 (113 views)
Permalink

Re: OpenSSL Worm ? [In reply to]

That is the one from June.. http://www.netsys.com/cgi-bin/displaynews?a=294

On Sat, Sep 14, 2002 at 12:24:39AM +0200, Ka wrote:

[snip]

> Anybody got the source-code?
>
> My God how I hate it to be dependent on those
> Symantec wise guys. The worm is allready in
> the wild but they won't publish it's code.
> How important they are, geeeeeee !!!
>
> Ka

jonathan at xcorps

Sep 13, 2002, 4:54 PM

Post #4 of 9 (112 views)
Permalink

Re: OpenSSL Worm ? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 13 Sep 2002, EPiC wrote:

> Here is the apache one that is going around right now..
>
> check for /tmp/.bugtraq and .bugtraq.c
>
> http://dammit.lt/apache-worm/apache-worm.c

Old news.

http://online.securityfocus.com/archive/1/279633

- --
Jonathan Rickman
X Corps Security
http://www.xcorps.net

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBPYJ6qTTwrX0N9QH/AQGNmAgArD6UppxMqglLaOyM/KkZU7f8hR4ZopqB
9tE7vGPvKJjaKdbV83eZJD3iP9gE2LjBJgfaEJDYVk4knzfEC5I1h70JXw1pfSL7
mz86NNjX7eydFkIzVrEa22QY8q6cyr3V+yAPv8VgQT14jxl3zcDHwWTY1oLjyDl/
jtkKMmo25QqChGJFALFdH0H/q0T3JQOxtZRDeHh9FV3NQoWM+L6cmcrbHPacG6nc
e4QvF5HsagtVlD76ASS92pflDxHATKk0Wd4agGHTlKJqbYtyJD9naLBNJvku/dyu
DUonnBKdAMJ1G8w8Inb60tzbd9xsqf4mkE6btAu+SJk5MFSWP3umGQ==
=wtgs
-----END PGP SIGNATURE-----

david.kennedy at acm

Sep 13, 2002, 6:03 PM

Post #5 of 9 (113 views)
Permalink

Re: OpenSSL Worm ? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----

http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.
worm.html

Note: It's presently at "2" on their scale which they call "Low" on a
scale of 5.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: hacker=cybercriminal--the definition changed; get over it

iQCVAwUBPYKK8PGfiIQsciJtAQHn0gP/dfWBcduY4/f5Ok5MVES6/CPvF/nDPbvS
3ztfaVsetYYZGtN4Wh+NOdwIk5JOIKp5VbT+GS0gNGIZlDdbH8BQP+VG1TCK0m1m
LjrB55eLXeaSR7mG6jhtSAESOQ4yEs4PAVv4GBOV/okEy4/uupV1rDIDk12CENOR
YHxIVDDDxbs=
=kKEH
-----END PGP SIGNATURE-----

--
Regards,

David Kennedy CISSP /"\
Director of Research Services, \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com X Against HTML Mail
Protect what you connect; / \
Look both ways before crossing the Net.

nick at virus-l

Sep 13, 2002, 6:06 PM

Post #6 of 9 (113 views)
Permalink

Re: OpenSSL Worm ? [In reply to]

> Here is the apache one that is going around right now..
>
> check for /tmp/.bugtraq and .bugtraq.c
>
> http://dammit.lt/apache-worm/apache-worm.c

While Scalper may still be doing the rounds, I doubt that many people
would consider it to be the same thing as the new SSL worm that the
thread's Subject refers to.

Regards,

Nick FitzGerald

nick at virus-l

Sep 13, 2002, 7:35 PM

Post #7 of 9 (112 views)
Permalink

Re: OpenSSL Worm ? [In reply to]

> New news.
>
> There is a new apache worm, based on the scalper worm from June.

Yes, but posting a link to the old code without clarifying that it is
the previous thing and the current one is possibly modelled on it, is
misleading at best.

<<snip>>
> The worm leaves no entry in httpd.log and does not crash Apache.
> After exploiting the server, it uploads its source as /tmp/.bugtraq.c
> and compiles it as /tmp/.bugtraq

...and listens on port 2002 UDP for commands to launch various DoS
atatcks. It also seems to have code to cooperate with other similar
agents in a DDoS network.

> The kiddies are surely having fun at the moment.

For sure...

Regards,

Nick FitzGerald

solareclipse at phreedom

Sep 13, 2002, 8:37 PM

Post #8 of 9 (114 views)
Permalink

Re: OpenSSL Worm ? [In reply to]

On Fri, Sep 13, 2002 at 07:54:08PM -0400, Jonathan Rickman wrote:
> On Fri, 13 Sep 2002, EPiC wrote:
>
> > Here is the apache one that is going around right now..
> >
> > check for /tmp/.bugtraq and .bugtraq.c
> >
> > http://dammit.lt/apache-worm/apache-worm.c
>
> Old news.
>
> http://online.securityfocus.com/archive/1/279633

New news.

There is a new apache worm, based on the scalper worm from June.

The new variant has a new exploit section and targets Apache/SSL
servers, exploiting the recent vulnerability in OpenSSL 0.6.9d.

The exploit works on Linux servers running the following distributions:

struct archs {
char *os;
char *apache;
int func_addr;
} architectures[] = {
{"Gentoo", "", 0x08086c34},
{"Debian", "1.3.26", 0x080863cc},
{"Red-Hat", "1.3.6", 0x080707ec},
{"Red-Hat", "1.3.9", 0x0808ccc4},
{"Red-Hat", "1.3.12", 0x0808f614},
{"Red-Hat", "1.3.12", 0x0809251c},
{"Red-Hat", "1.3.19", 0x0809af8c},
{"Red-Hat", "1.3.20", 0x080994d4},
{"Red-Hat", "1.3.26", 0x08161c14},
{"Red-Hat", "1.3.23", 0x0808528c},
{"Red-Hat", "1.3.22", 0x0808400c},
{"SuSE", "1.3.12", 0x0809f54c},
{"SuSE", "1.3.17", 0x08099984},
{"SuSE", "1.3.19", 0x08099ec8},
{"SuSE", "1.3.20", 0x08099da8},
{"SuSE", "1.3.23", 0x08086168},
{"SuSE", "1.3.23", 0x080861c8},
{"Mandrake", "1.3.14", 0x0809d6c4},
{"Mandrake", "1.3.19", 0x0809ea98},
{"Mandrake", "1.3.20", 0x0809e97c},
{"Mandrake", "1.3.23", 0x08086580},
{"Slackware", "1.3.26", 0x083d37fc},
{"Slackware", "1.3.26",0x080b2100}
};

But this doesn't mean that other Linux distribution can't be added.

The worm leaves no entry in httpd.log and does not crash Apache.
After exploiting the server, it uploads its source as /tmp/.bugtraq.c
and compiles it as /tmp/.bugtraq

The kiddies are surely having fun at the moment.

Solar Eclipse

delta at FaVeVe

Sep 14, 2002, 5:20 AM

Post #9 of 9 (113 views)
Permalink

Re: OpenSSL Worm ? [In reply to]

On 14 Sep 2002 at 05:37 +0200, Solar Eclipse wrote:
> The new variant has a new exploit section and targets Apache/SSL
> servers, exploiting the recent vulnerability in OpenSSL 0.6.9d.

Where recent is 30 Jun 2002.

> The worm leaves no entry in httpd.log and does not crash Apache.
> After exploiting the server, it uploads its source as /tmp/.bugtraq.c
> and compiles it as /tmp/.bugtraq

It sets up a kind of peer to peer network using 2002/udp, seems to
be quite noisy (bad design or bad estimation?). Other flovours to
come might use other ports...

The worm can execute arbitrary commands, so it has an upgrade path.
A more silent flavour might make a more efficient use of it...

--
MfG/Best regards, "A Feature you cannot disable is
helmut springer considered a bug" comp.os.unix

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads