Malware type: Worm
Aliases: Net-Worm.SunOS.Wanuk.a (Kaspersky), SunOS/Wanuk.worm (McAfee), Solaris.Wanuk.Worm (Symantec), Worm/Wanuk.A (Avira),
In the wild: Yes
Destructive: No
Language: English
Platform: Sun Solaris 10/11
Encrypted: No
Overall risk rating:
Reported infections:
Damage potential:
Distribution potential:
Infection Channel 1 : Propagates via software vulnerabilities
Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Comments/Suggestions This memory-resident ELF malware propagates by exploiting the Sun Solaris TelNet Remote Authentication Bypass vulnerability, a known vulnerability found in the Sun Solaris 10/11 TelNet daemon, which is in.telnetd. This action allows itself to gain remote console access on an affected system without proper authentication. More information about this vulnerability is found in the following Web page: Sun Solaris TelNet Remote Authentication Bypass Vulnerability When executed, this ELF malware drops several Intel or Sparc components into the /var/adm/sa/.adm and /var/spool/lp/admins/.lp folders, depending on the microprocessor the affected system has installed. It also creates certain cron tab entries to enable its automatic execution at every system startup. It also has backdoor capabilities. It connects to a certain port where a Unix shell is bound to execute arbitrary commands on the affected system. If this ELF malware is executed on the 13th day of the month, between 1 AM to 5 AM, it attempts to broadcast to all currently logged in users on a TelNet session a randomly selected message. The message it broadcasts can be any of the following: \o/ /o/ \o\ .o/ \o. \o/ () // |\ // /\ (\ We're having fun, and you don''t. _____ _ |_ _| | | | | |__ ___ ___ | | | '_ \ / _ \/ _ \ | | | | | | __/ (_) | \_/ |_| |_|\___|\___/ _ ______ _ _ | | | ___ \ | | | __| | ___| |_/ /__ _ __ _ __| | |_ / _` |/ _ \ // _` |/ _` |/ _` | __| | (_| | __/ |\ \ (_| | (_| | (_| | |_ \__,_|\___\_| \_\__,_|\__,_|\__,_|\__| _____ _ _ _____ _ __ _____ _ / ___| | | / __ \| | / // ___| | | \ `--.| | | | / \/| |/ / \ `--. | | `--. \ | | | | | \ `--. \ | | /\__/ / |_| | \__/\| |\ \/\__/ / |_| \____/ \___/ \____/\_| \_/\____/ (_) W O R M S A G A I N S T N U C L E A R K I L L E R S _______________________________________________________________ \__ ____________ _____ ________ ____ ____ __ _____/ \ \ \ /\ / / / /\ \ | \ \ | | | | / / / \ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / / \ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ / \_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/ \___________________________________________________/ \ / \ Your System Has Been Officically WANKed / \_____________________________________________/ You talk of times of peace for all, and then prepare for war. # rm -rf /* & 23858 # rm: Unable to remove directory /dev/fd: Device busy rm: Unable to remove directory /dev: File exists rm: Unable to remove directory /devices: Device busy rm: Unable to remove directory /etc: File exists rm: Unable to remove directory /home: Device busy rm: Unable to remove directory /lib: File exists rm: Unable to remove directory /net: Device busy rm: Unable to remove directory /opt: Device busy rm: Unable to remove directory /proc: Device busy rm: Unable to remove directory /system: File exists rm: Unable to remove directory /tmp: Device busy rm: Unable to remove directory /usr/openwin: Device busy rm: Unable to remove directory /usr: File exists # --- in.telnetd.c Sat Apr 1 00:00:00 1989 +++ in.telnetd.3629.c Sat Apr 1 00:00:00 1989 @@ -20,7 +20,7 @@ */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserv'ed. + * Copyright 2007 Sun Microsystems, Inc. All rights reserv'ed. * Use is subject to license terms. */ @@ -3189,18 +3189,17 @@ * login will have to authenticate further. */ (void) execl(LOGIN_PROGRAM, "login", - "-p", - "-d", slavename, - "-h", host, - "-s", pam_svc_name, - (AuthenticatingUser != NULL ? Au'thenticatingUser : - getenv("USER")), - 0); + "-p", + "-d", slavename, + "-h", host, + "-s", pam_svc_name, "--", ,br> + (AuthenticatingUser != NULL ? Authentica'tingUser : + getenv("USER")), 0); } else /* default, no auth. info available, login do'es it all */ { (void) execl(LOGIN_PROGRAM, "login", - "-p", "-h", host, "-d", slavenam'e, - getenv("USER"), 0); + "-p", "-h", host, "-d", slavename, "--", + getenv("USER"), 0); } fatalperror(netfd, LOGIN_PROGRAM, errno); ************** **************** ************************ ************************ ***************** ********** **************************** ******************************** ******* ****** ******* **************************** ******** ****** ****** ********************** ******* ****** ******* **************** ****************************** ********************** ****************************** **************************** ****************************** ******************************** ****************************** ****************************** ****************************** ************************ ******** ******** ******** ************** **** **** **** ___ .o( Please hug me, fucker ) {~._.~} ` ( Y ) ()~*~() (_)-(_) ........, . ' , `` ' , . ` ' ` ` '. , ` ` ` . ' , ` ` . ` ` ` ` ` : : ` ` : ` ` ' ` ` ' , ` ' , ` ' ` , , `. ` ' , ` ` , , ` , ` ` , , ` ' ` ` ( , ` ) ~~ ~~ Hi, I'm Casper, I am a bored Sun developer and I wrote this piece of code. GADI, SHUT THE FUCK UP! GADI, SHIT THE THICK HYPE! YOURS! GADI, CHAT THE FAKE APE! UP GADI, SHOT THE FOCK HOPE! YOURS! GADI, SHET THE FECK EP! UP YOURS! Gadi, JUST shut the fuck UP. YOURS! GADI, CHAT THE FAKE APE! UP GADI, SHOT THE FOCK HOPE! YOURS! GADI, SHIT THE THICK HYPE! UP GADI, SHET THE FECK EP! YOURS! GADI, SHUT THE FUCK UP! .......... ( Nope... ) ,+*^^*+___+++_ ( Just a ) ,*^^^^ ) ( talking ) _+* ^**+_ ( turkey. ) +^ _ _++*+_+++_, ) `..........' _+^^*+_ ( ,+*^ ^ \+_ ) \ { ) ( ,( ,_+--+--, ^) ^\ { (@) } f ,( ,+-^ __*_*_ ^^\_ ^\ ) {:;-/ (_+*-+^^^^^+*+*<_ _++_)_ ) ) / ( / ( ( ,___ ^*+_+* ) < < \ U _/ ) *--< ) ^\-----++__) ) ) ) ( ) _(^)^^)) ) )\^^^^^))^*+/ / / ( / (_))_^)) ) ) ))^^^^^))^^^)__/ +^^ ( ,/ (^))^)) ) ) ))^^^^^^^))^^) _) *+__+* (_))^) ) ) ))^^^^^^))^^^^^)____*^ \ \_)^)_)) ))^^^^^^^^^^))^^^^) (_ ^\__^^^^^^^^^^^^))^^^^^^^) ^\___ ^\__^^^^^^))^^^^^^^^)\\ ^^^^^\uuu/^^\uuu/^^^^\^\^\^\^\^\^\^\ ___) >____) >___ ^\_\_\_\_\_\_\) ^^^//\\_^^//\\_^ ^(\_\_\_\) ^^^ ^^ ^^^ ^
Comments/Suggestions
This memory-resident ELF malware propagates by exploiting the Sun Solaris TelNet Remote Authentication Bypass vulnerability, a known vulnerability found in the Sun Solaris 10/11 TelNet daemon, which is in.telnetd. This action allows itself to gain remote console access on an affected system without proper authentication.
More information about this vulnerability is found in the following Web page:
When executed, this ELF malware drops several Intel or Sparc components into the /var/adm/sa/.adm and /var/spool/lp/admins/.lp folders, depending on the microprocessor the affected system has installed. It also creates certain cron tab entries to enable its automatic execution at every system startup.
It also has backdoor capabilities. It connects to a certain port where a Unix shell is bound to execute arbitrary commands on the affected system.
If this ELF malware is executed on the 13th day of the month, between 1 AM to 5 AM, it attempts to broadcast to all currently logged in users on a TelNet session a randomly selected message. The message it broadcasts can be any of the following:
\o/ /o/ \o\ .o/ \o. \o/ () // |\ // /\ (\ We're having fun, and you don''t.
_____ _ |_ _| | | | | |__ ___ ___ | | | '_ \ / _ \/ _ \ | | | | | | __/ (_) | \_/ |_| |_|\___|\___/ _ ______ _ _ | | | ___ \ | | | __| | ___| |_/ /__ _ __ _ __| | |_ / _` |/ _ \ // _` |/ _` |/ _` | __| | (_| | __/ |\ \ (_| | (_| | (_| | |_ \__,_|\___\_| \_\__,_|\__,_|\__,_|\__| _____ _ _ _____ _ __ _____ _ / ___| | | / __ \| | / // ___| | | \ `--.| | | | / \/| |/ / \ `--. | | `--. \ | | | | | \ `--. \ | | /\__/ / |_| | \__/\| |\ \/\__/ / |_| \____/ \___/ \____/\_| \_/\____/ (_)
W O R M S A G A I N S T N U C L E A R K I L L E R S _______________________________________________________________ \__ ____________ _____ ________ ____ ____ __ _____/ \ \ \ /\ / / / /\ \ | \ \ | | | | / / / \ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / / \ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ / \_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/ \___________________________________________________/ \ / \ Your System Has Been Officically WANKed / \_____________________________________________/ You talk of times of peace for all, and then prepare for war.
# rm -rf /* & 23858 # rm: Unable to remove directory /dev/fd: Device busy rm: Unable to remove directory /dev: File exists rm: Unable to remove directory /devices: Device busy rm: Unable to remove directory /etc: File exists rm: Unable to remove directory /home: Device busy rm: Unable to remove directory /lib: File exists rm: Unable to remove directory /net: Device busy rm: Unable to remove directory /opt: Device busy rm: Unable to remove directory /proc: Device busy rm: Unable to remove directory /system: File exists rm: Unable to remove directory /tmp: Device busy rm: Unable to remove directory /usr/openwin: Device busy rm: Unable to remove directory /usr: File exists #
--- in.telnetd.c Sat Apr 1 00:00:00 1989 +++ in.telnetd.3629.c Sat Apr 1 00:00:00 1989 @@ -20,7 +20,7 @@ */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserv'ed. + * Copyright 2007 Sun Microsystems, Inc. All rights reserv'ed. * Use is subject to license terms. */ @@ -3189,18 +3189,17 @@ * login will have to authenticate further. */ (void) execl(LOGIN_PROGRAM, "login", - "-p", - "-d", slavename, - "-h", host, - "-s", pam_svc_name, - (AuthenticatingUser != NULL ? Au'thenticatingUser : - getenv("USER")), - 0); + "-p", + "-d", slavename, + "-h", host, + "-s", pam_svc_name, "--", ,br> + (AuthenticatingUser != NULL ? Authentica'tingUser : + getenv("USER")), 0); } else /* default, no auth. info available, login do'es it all */ { (void) execl(LOGIN_PROGRAM, "login", - "-p", "-h", host, "-d", slavenam'e, - getenv("USER"), 0); + "-p", "-h", host, "-d", slavename, "--", + getenv("USER"), 0); } fatalperror(netfd, LOGIN_PROGRAM, errno);
************** **************** ************************ ************************ ***************** ********** **************************** ******************************** ******* ****** ******* **************************** ******** ****** ****** ********************** ******* ****** ******* **************** ****************************** ********************** ****************************** **************************** ****************************** ******************************** ****************************** ****************************** ****************************** ************************ ******** ******** ******** ************** **** **** ****
___ .o( Please hug me, fucker ) {~._.~} ` ( Y ) ()~*~() (_)-(_)
........, . ' , `` ' , . ` ' ` ` '. , ` ` ` . ' , ` ` . ` ` ` ` ` : : ` ` : ` ` ' ` ` ' , ` ' , ` ' ` , , `. ` ' , ` ` , , ` , ` ` , , ` ' ` ` ( , ` ) ~~ ~~
Hi, I'm Casper, I am a bored Sun developer and I wrote this piece of code.
GADI, SHUT THE FUCK UP! GADI, SHIT THE THICK HYPE! YOURS! GADI, CHAT THE FAKE APE! UP GADI, SHOT THE FOCK HOPE! YOURS! GADI, SHET THE FECK EP! UP YOURS! Gadi, JUST shut the fuck UP. YOURS! GADI, CHAT THE FAKE APE! UP GADI, SHOT THE FOCK HOPE! YOURS! GADI, SHIT THE THICK HYPE! UP GADI, SHET THE FECK EP! YOURS! GADI, SHUT THE FUCK UP!
.......... ( Nope... ) ,+*^^*+___+++_ ( Just a ) ,*^^^^ ) ( talking ) _+* ^**+_ ( turkey. ) +^ _ _++*+_+++_, ) `..........' _+^^*+_ ( ,+*^ ^ \+_ ) \ { ) ( ,( ,_+--+--, ^) ^\ { (@) } f ,( ,+-^ __*_*_ ^^\_ ^\ ) {:;-/ (_+*-+^^^^^+*+*<_ _++_)_ ) ) / ( / ( ( ,___ ^*+_+* ) < < \ U _/ ) *--< ) ^\-----++__) ) ) ) ( ) _(^)^^)) ) )\^^^^^))^*+/ / / ( / (_))_^)) ) ) ))^^^^^))^^^)__/ +^^ ( ,/ (^))^)) ) ) ))^^^^^^^))^^) _) *+__+* (_))^) ) ) ))^^^^^^))^^^^^)____*^ \ \_)^)_)) ))^^^^^^^^^^))^^^^) (_ ^\__^^^^^^^^^^^^))^^^^^^^) ^\___ ^\__^^^^^^))^^^^^^^^)\\ ^^^^^\uuu/^^\uuu/^^^^\^\^\^\^\^\^\^\ ___) >____) >___ ^\_\_\_\_\_\_\) ^^^//\\_^^//\\_^ ^(\_\_\_\) ^^^ ^^ ^^^ ^
For additional information about this threat, see:SolutionTechnical Details
Description created: Feb. 28, 2007 7:41:22 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
Save & Share
