Linux.Devnull

Classification

Category :

Malware

Type :

Worm

Platform :

Linux

Aliases :

Linux.Devnull, Devnull, Kaiten

Summary

This worm is related to https://www.f-secure.com/slapper/. This worm was found on Monday the 30th of September 2002.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This worm is known to F-Secure as Linux.Devnull. Some security vendors are calling it Linux.Slapper.D, although the only thing it has common with Slapper is that it uses the same vulnerability.

This worm, once the host has been compromised, downloads and executes a shell script from a web server. This script downloads an gzipped executable file from the same address, it then decompresses and runs the file.

This downloaded file appears to be an IRC client, it connects to different channels and waits for commands to process on the infected host.

Above: a screenshot of the IRC channel used by the worm for remote control of infected machines. The channel had hundreds of bots, each representing one infected machine.

After this, the script downloads another compressed file which contains an executable and a C source code file. It tries to compile the source and runs the executable. The executable will scan for vulnerable hosts and it will use the compiled program to exploit the the known OpenSSL vunerability.

We are currently trying to remove these files from the web server - once this is done, the worm shouldn't be able to spread further. The files seem to be available on a server of a Japanese University.

If a vulnerable host is found it will send the script file and execute it remotely. Then the decribed process starts in the new infected host.

This worm doesn't create a P2P network as Slapper did.