This comes from one of our friends over at the Finish cert team CERT-FI / FICORA.
"CERT-FI has been tracking the situation with the Allaple worm for about 8 months now. We have traced the evolution of the worm since the first variants came out. Allaple is a polymorphic worm. The first variants spread through Radmin installations that had weak passwords. Every variant so far also tries to locate all html files on the harddisk to prepend an <object> -tag into the file to ensure activation of the worm when a local webmaster views the files. Traces of this behaviour can be seen on some websites: There's an <object> tag right below the <html> tag in the page, with the source pointing to a random UUID. The first variants were DDOSsing only 1 target and the DDOS was a basic SYN flood. Shortly there after another target was added to the DDOS routine in the code. A bit after that the spreading mechanisms were changed from Radmin scans to basic catering of Windows exploits, and yet another target or victim was added. The SYN DDOS routine has been the same from the first variant to the latest variant available. Early in the winter code was added to do HTTP GETs on the target websites. A few other ports were also targeted. One site is currently getting gentle packet love on tcp ports 22,80 and 97. Another site is getting packets and HTTP gets on port 80, and yet another is getting packets on ports 80 and 443. The worms have absolutely no Command and Control channels in them. Once released, there is no way to make them disappear. Their sole purpose is to spread and DDOS. In case you are in the correct position, and you feel you would want to help in this pesky problem, here are a few tricks you can use to identify Allaple variants on the loose in your networks: 1) ICMP packets with the string "Babcdefghijklmnopqrstuvwabcdefghi", sans quotes, in the payload. 2) Echo requests to entire networks including host octets of 255 and 0. We have reason to believe that there will be more variants, it's just a matter of time when a new one pops out into the open. CERT-FI is interested in any information or observations regarding the DDOS or the malware itself. We can be contacted at cert(at)ficora.fi" |
donald 206 Posts Mar 14th 2007 |
Thread locked Subscribe |
Mar 14th 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!