Yesterday fellow handler Chris wrote about a possible phpBB worm exploiting a 0-day vulnerability (http://isc.sans.org/diary.php?storyid=1480). If you're using phpBB you can relax ? the worm we've analyzed doesn't exploit any vulnerabilities in phpBB.
We've received two samples from the Nepenthes Development team and analyzed them. Both samples contain practically the same bot written in perl. The only difference between them is the vulnerability which is being exploited.
Both bots exploit remote file inclusion vulnerabilities in components that are typically used with Joomla and Mambo, popular CMS packages. In first case the bot is exploiting a vulnerability in the perForms component that is used to create dynamic forms.
The second perl bot exploits an unpatched vulnerability in Joomla/Mambo CNS component SimpleBoard (there is a CVE for this vulnerability, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3528). It looks like even the latest RC version of the SimpleBoard component is affected by this vulnerability so be sure to disable it if you have it installed on your machine.
In both cases exploits for these vulnerabilities have been published previously.
Besides the attack part, the perl bot also contains couple of "extra features". The bot will report to a hard coded IRC server. Besides the attack component, the bot can also perform a poor TCP portscan (the destination ports are also hard coded in the bot and can not be changed), UDP, TCP and HTTP floods.
The bot will use Google to search for vulnerable sites and offers the possibility of executing any commands through the remote shell.
If you have been following our diaries you probably noticed a trend of exploiting vulnerabilities in third party components for Joomla and Mambo packages. While there were some vulnerabilities in the core packages as well, one can expect that there is a whole new world of vulnerabilities in third party components, so be careful on what you install. Install and enable only components that you really need and be sure that you subscribe to all the relevant mailing lists so you can keep track of what's going on with them.
I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Brussels September 2019
Jul 14th 2006
1 decade ago