Loathing Lupper in Linux presented at Virus Bulletin 2006

by Jakub Kaminski (CA),

Tags: Security

URL : http://www.virusbtn.com/conference/vb2006/abstracts/Kaminski.xml

Summary : "The development of computer malware targeting Linux machines has been steady during the last
few years, but barely comparable to all the nasty stuff designed to compromise Windows
systems. The number of new self-replicating malware written for Linux have been small
and it seemed like the sudden outburst, which in early 2001 produced a series of
Linux worms reported from the Wild (like Ramen, Lion, Adore, Lpdw0rmn or Cheese)
turned out to be a flash in a pan.Precisely speaking, new Linux malware - new backdoors, denial of service attacks,
rootkits and other 'hacking' tools - and even some parasitic viruses appear in malware collections
on a regular basis. There's always something to keep those investigating Linux malicious
code occupied (even though the number of issues to look through is tiny compared to the
problems facing Windows users and Windows security experts).In November 2005, those monitoring Linux threats got a hint of excitement - a worm named
Lupper (or Lupii, or Plupii). Now, a couple of months after its first appearance there are
more than a dozen different variants on the loose. And the new ones are appearing faster than the
previous; and at this stage we don't expect this trend to stop.There are a few features of the Lupper worms that make them interesting, relatively widespread
and quite complex to define. The mixture of ELF binaries, shell scripts, exploited
vulnerabilities, quickly changing IP addresses, a mixture of components like downloaders,
backdoors and denial of service attack tools - makes it hard to unravel the true picture
of the ever-growing Lupper family. The confusion is obvious when one looks at the
detection and naming systems implemented in various anti-virus products. The problem
with determining which elements belong where and how they are related to others reminds
one of the Win32/Bagle puzzle.
The paper will overview the latest Linux malware situation and will concentrate on trying
to discover the mechanism behind the evolution of Lupper variants and other related Linux