update on the linux worm

To: bugtraq@xxxxxxxxxxxxxxxxx, "\"full-disclosure@xxxxxxxxxxxxxxxxx\" u" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: update on the linux worm
From: Gadi Evron <ge@xxxxxxxxxxxx>
Date: Sun, 19 Feb 2006 07:36:03 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

A quick digest of some updates from the last few hours on this issue:

1. The worm is based on 'kaiten', which has been going around indifferent variants for a long time now.


2. This worm is new.

3. The first part exploits PHP applications, like these variantsnormally do.


4. The second part spreads to other systems.

5. The worm connects to a botnet C&C based on two Fast-flux DNS RR'swhich are not there anymore, and as they change, are taken down.


As always, more updates if necessary on: http://blog.securiteam.com

Thanks,

        Gadi.

--
http://blogs.securiteam.com/

"Out of the box is where I live".
        -- Cara "Starbuck" Thrace, Battlestar Galactica.

Follow-Ups:
- Re: update on the linux worm
  - From: Stephen J. Smoogen

Prev by Date: [OpenPKG-SA-2006.004] OpenPKG Security Advisory (postgresql)
Next by Date: [eVuln] Magic Calendar Lite Authentication Bypass
Previous by thread: [OpenPKG-SA-2006.004] OpenPKG Security Advisory (postgresql)
Next by thread: Re: update on the linux worm
Index(es):
- Date
- Thread