Posted on Tuesday, February 27th, 2007 | Bookmark on del.icio.us

Solaris Telnet Scanning — Possible Worm?

by Jose Nazario

Updated Information Below – 28 Feb 2007

This morning on ATLAS we saw a pair of hosts scanning for Telnet servers. While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to a recent Solaris bug, specifically CVE-2007-0882 (the telnet “-froot” bug). Two boxes in the same subnet scanning for it and hitting ATLAS; reports from another site indicate another box on that same subnet scanning them.

telnet_scanning

Last night a team member found what appears to a Sun Solaris telnet worm using this vulnerability. What’s kind of cute about the worm is that the strings contain a lot of old school messages, like the WANK worm, the Witty Worm, and a few others (including some to Gobbles). Here’s the file manifest and MD5’s of the files:

MD5 (./sunworm.tar.gz) = cf4a9970f3b1f790097f948a89b3c0b6
MD5 (./adm/acctadm) = 499ea70ee52a0dc8157bd5af17939dd2
MD5 (./adm/.i86pc) = beb297d10410351c3de482011ad29930
MD5 (./adm/.lp-door.i86pc) = d941a72058f87c26204aeafc98f44875
MD5 (./adm/.lp-door.sun4) = d48a524ec0ad6c36c248e06e0b6efffa
MD5 (./adm/.sun4) = 499ea70ee52a0dc8157bd5af17939dd2
MD5 (./lp/lpfilter) = d48a524ec0ad6c36c248e06e0b6efffa
MD5 (./lp/.lp-door.sun4) = d48a524ec0ad6c36c248e06e0b6efffa
MD5 (./path_of_adm) = 0d7ca664603b7291fb24b58e22cc6dad
MD5 (./path_of_lp) = 3a3cba85cfb7466001fd3d7900ebb8be
MD5 (./sunworm.zip) = c48866d374859d223b20911c7ad3aa01

The “path of” files just point to the appropriate binary (this worm appears to be cross platform, x86 or SPARC):

/var/adm/sa/.adm
/var/spool/lp/admins/.lp

And the main binaries under “adm/” are built for any platform:

acctadm:        ELF 32-bit MSB executable, SPARC, version 1
.i86pc:         ELF 32-bit LSB executable, Intel 80386, version 1
.lp-door.i86pc: ELF 32-bit LSB executable, Intel 80386, version 1
.lp-door.sun4:  ELF 32-bit MSB executable, SPARC, version 1
.sun4:          ELF 32-bit MSB executable, SPARC, version 1

The worm attempts to log into your systems as the users “lp” or “adm” and execute a bunch of shell commands (some of which are visible in the IDA screen shot below) to set up shop and keep on truckin’. Very old school, reminds me of the old ADM worms I saw back in the late 90’s that got me interested in self-propagating malware in the first place.sunworm_in_IDA

If you haven’t patched yet, you should. See the instructions from Sun on how to do that. Better yet just disable Telnet. It’s 2007, after all.

Update: Sun has released an inoculation script for systems that may be affected.

This entry was posted on Tuesday, February 27th, 2007 at 12:18 pm and is filed under Arbor Networks, Exploit Code, Malware, Reverse Engineering, Vulnerabilities, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

10 Responses | Add your own



Comment Post by: Solaris worm based on Telnet vulnerability? at Security Samizdat — February 27th, 2007 @ 7:26 pm EST  Reply

[...] Read it all at the Arbor Security Blog. [...]

Comment Post by: Latinnoticias Todo Sobre La Red » Posible gusano explotando bug de Solaris — February 28th, 2007 @ 7:03 am EST  Reply

[...] De hecho, algunos signos sugieren incluso la existencia de un gusano multiplataforma (x86 y SPARC) que trataría de conectarse a los sistemas vulnerables como el usuario “lp” o “adm” para ejecutar luego comandos en el shell del sistema. [...]

Comment Post by: Harry Waldron - Microsoft MVP Blog : Solaris Telnet based worm seen in the wild — February 28th, 2007 @ 2:18 pm EST  Reply

[...] self-propagating malware in the first place. Share this post: email it! | bookmark it! | digg it! | live it! Published Wednesday, February 28, 2007 7:11 PM byharry [...]

Comment Post by: incidents.co.za » Blog Archive — March 1st, 2007 @ 1:13 am EST  Reply

[...] http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/ [...]

Comment Post by: 02/03 news « Oscaraleeto — March 2nd, 2007 @ 9:39 am EST  Reply

[...] Solaris worm? Solaris Telnet Scanning — Possible Worm? Telnet Worm Exploiting Zero-Day Bug In Solaris Não sei o motivo, mas isso me fez lembrar do worm de Robert Morris [...]

Comment Post by: Un lugar en el mundo… » Blog Archive » Retazos de la semana (y XIV) — March 3rd, 2007 @ 12:31 am EST  Reply

[...] Un gusano en Solaris Sin consecuencias, pero ahí está. Detalles aquí. [...]

Comment Post by: Windows Security Blogs » Blog Archive » Solaris Telnet based worm seen in the wild — March 13th, 2007 @ 6:36 pm EST  Reply

[...] http://isc.sans.org/diary.html?storyid=2316http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seenhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1 http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/ QUOTE: The worm attempts to log into your systems as the users “lp” or “adm” and execute a bunch of shell commands (some of which are visible in the IDA screen shot below) to set up shop and keep on truckin’. Very old school, reminds me of the old ADM worms I saw back in the late 90’s that got me interested in self-propagating malware in the first place. Share this post: email it! | bookmark it! | digg it! | live it! [...]

Comment Post by: Freekee — November 12th, 2008 @ 2:03 am EST  Reply

Что-то наподобие у меня уже год из головы не выходит!

Comment Post by: Бежен — February 5th, 2009 @ 3:19 pm EST  Reply

Скажите, а можно ли взять статьи с вашего сайта? Со ссылкой на первоисточник конечно же. :)

Comment Post by: Jose Nazario — February 5th, 2009 @ 6:24 pm EST  Reply

Вы можете с цитатой присвоения но полное копирование запрещено. каждому нравится оригинальное содержание.

the original in english: “you can quote with attribution but a full copy is not permitted. everyone likes original content.”

Leave a Comment