Details
Worm.FreeBSD.Scalper.a
I-Worm.Scalper - also known as:
AKA "FreeBSD.Scalper.worm", "ELF/FreeApworm", "ELF_SCALPER.A"
Scalper is an Internet worm that infects FreeBSD servers by exploiting a vulnerability in the popular "Apache" web server software. It also acts as a backdoor in the infected systems, accepting a variety of "orders" to run commands on the local machine, flood a specified IP address, send mails etc.
The "Apache" versions vulnerable to the exploit used by the worm are 1.3.x up to 1.3.24, all 2.0.x versions up to 2.0.36 and all of the older 1.2.x versions. To fix the vulnerability, it is recommended to install the patched versions "1.3.26"/"2.0.39" or later.
At the time of writing of this description, the worm is believed not to be In-the-Wild.
Relevant links:
Apache Security Bulletin, June 20, 2002
http://httpd.apache.org/info/security_bulletin_20020620.txt
Apache Web Server Chunk Handling Vulnerability
http://www.cert.org/advisories/CA-2002-17.html
Technical details of the "Scalper" worm
The worm attacks randomly-generated IP address classes of the format a.b.x.x, where "a" is selected from an array of 162 possible choices, "b" is a full 1-byte long random choice, and "x.x" are scanned incrementally from "0.0" up to "255.255". For each random IP address, the worm checks if it doesn't loop back to the local machine (eg. addresses of the form 127.x.x.x), then it tries to connect on port 80 and send a simple "GET /" request to check if the server runs an Apache version. If the server reply includes the "Apache" string, the worm will attempt to exploit the Server Chunk Handling vulnerability by sending a set of two specially crafted buffers, which will only work for two very specific Apache versions, 1.3.20 and 1.3.22-24. If the exploit succeeds, the worms will send itself in UUENCODED form to a file in the "/tmp" directory, unpack it as "/tmp/.a", and run it. When run, the worm will again enter the replication cycle, looking for more hosts, and activating the backdoor component on the UDP port 2001. The backdoor accepts a rather large set of commands, between them, flooding remote systems with UDP, TCP, DNS or RAW packets, running local commands, downloading a binary from a remote machine via HTTP and running it, sending mails, providing information on the configuration of the hacked machine, etcall
All the communication with the backdoor is encrypted, however, the encryption is static and is probably performed only to prevent direct analysis of the traffic. |