• SecureWorks Research
• Counter Threat Unit^SM
• Threat Analyses
• Research Blog
• Newsletter
• Webcasts
• Security Tools
• Articles
• Security

• Home
• Research
• Threat Analyses
• Slapper v2.0 - XML-RPC/Awstats Worm

Slapper v2.0 - XML-RPC/Awstats Worm

• URL: http://www.secureworks.com/research/threats/slapperv2
• Date: November 7, 2005
• Author: Joe Stewart

Return of the Living Dead

Someone has taken the circa-2002 Slapper worm code and changed it to use recent web script vulnerabilities in order to spread.

This new worm will mainly affect administrators of bulletin board systems or weblogs (blogs). The vulnerability lies in a setup file shipped with many of these programs called xmlrpc.php. By crafting a certain HTTP POST request, the attacker can execute arbitrary code on the target system. This paths the worm is hard-coded to attempt POSTs to are:

• /xmlrpc.php
/xmlrpc/xmlrpc.php
• /xmlsrv/xmlrpc.php
• /blog/xmlrpc.php
• /drupal/xmlrpc.php
• /community/xmlrpc.php
• /blogs/xmlrpc.php
• /blogs/xmlsrv/xmlrpc.php
• /blog/xmlsrv/xmlrpc.php
• /blogtest/xmlsrv/xmlrpc.php
• /b2/xmlsrv/xmlrpc.php
• /b2evo/xmlsrv/xmlrpc.php
• /wordpress/xmlrpc.php
• /phpgroupware/xmlrpc.php

In addition, the worm also attempts to spread using a previous vulnerability in Awstats, a web-based hit statistics package. The worm attempts to send a GET request to awstats.pl found in any of the following locations:

• /cgi-bin/
• /awstats/
• /cgi-bin/awstats/
• /cgi/awstats/
• /scripts/
• /cgi-bin/stats/
• /stats/

The binary containing the Slapper code plus the two new exploits is named "lupii". The original SSL exploit involved in the spread of the original Slapper worm has been removed.

In addition, we are seeing possibly unrelated automated XML-RPC exploit attempts in order to inject another binary named "cback", which is just a connect-back shell. At this time it is unknown if the cback executable is being used to download additional malware, as the connect-back host is down.

Origins

The original Slapper worm contained code to create a distributed denial-of-service botnet. Likewise, this new worm has the same functionality. The DDoS code in both worms is incorporated from a program called "pud" by contem@efnet, which is one handle used by known spam coder Ben Kittridge (although he usually goes by the handle Bysin). Kittridge's name also appears in the original Kridge.A spam proxy trojan (as does the name contem@efnet). At the time of the original Slapper release in 2002, Kittridge distanced himself from the Slapper author (calling him "some script kiddie") in a post to Bugtraq. However, Kittridge admits to coding tools for spammers in an interview with Brian McWilliams, author of the book Spam Kings.

Update

Some names the AV industry has given this worm:

• Linux.Plupii
• Lupper.worm
• Linux/Lupper.A
• Linux/Lupper.B

Solution

Search for the existence of xmlrpc.php on any PHP-enabled unix-based webserver's public document tree and remove it, or upgrade the package that put it there. Awstats.pl may be upgraded. Hackers are increasingly targeting off-the-shelf web scripts written in PHP and less often Perl, so any OTS free or widely-deployed code should have a thorough security audit before being deployed on a public server.

Online Tools

Info Request