SANS ISC: Allaple worm

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

This comes from one of our friends over at the Finish cert team CERT-FI / FICORA.

"CERT-FI has been tracking the situation with the Allaple worm
for about 8 months now. We have traced the evolution of the
worm since the first variants came out.

Allaple is a polymorphic worm. The first variants spread through
Radmin installations that had weak passwords.
Every variant so far also tries to locate
all html files on the harddisk to prepend an <object> -tag
into the file to ensure activation of the worm when a local
webmaster views the files. Traces of this behaviour can be
seen on some websites: There's an <object> tag right below the
<html> tag in the page, with the source pointing to a random
UUID.

The first variants were DDOSsing only 1 target and the DDOS was a basic
SYN flood. Shortly there after another target was added to the DDOS routine in the
code.

A bit after that the spreading mechanisms were changed from
Radmin scans to basic catering of Windows exploits,
and yet another target or victim was added.

The SYN DDOS routine has been the same from the first variant
to the latest variant available. Early in the winter code was
added to do HTTP GETs on the target websites. A few other ports
were also targeted. One site is currently getting gentle packet
love on tcp ports 22,80 and 97. Another site is getting packets and
HTTP gets on port 80, and yet another is getting packets on
ports 80 and 443.

The worms have absolutely no Command and Control channels in them.
Once released, there is no way to make them disappear. Their sole
purpose is to spread and DDOS.

In case you are in the correct position, and you feel you would
want to help in this pesky problem, here are a few tricks you can
use to identify Allaple variants on the loose in your networks:

1) ICMP packets with the string "Babcdefghijklmnopqrstuvwabcdefghi",
sans quotes, in the payload.
2) Echo requests to entire networks including host octets of 255 and 0.

We have reason to believe that there will be more variants,
it's just a matter of time when a new one pops out into the open.

CERT-FI is interested in any information or observations regarding the DDOS
or the malware itself. We can be contacted at cert(at)ficora.fi"