Home / malware Darlloz worm
First posted on 05 April 2015.
Source: SecurityHomeAliases :
Darlloz worm is also known as Linux.Darlloz.
Explanation :
The worm propagates by exploiting the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823) through http POST requests.
If the target is vulnerable, it downloads and executes the worm from the following URL:
[http://]www.gpharma.co
When the worm is executed, it copies itself as the following file:
/tmp/x86
The worm creates the following directory:
/var/run/.zollard/
The worm attempts to force load ip_table or iptable from the following locations:
/lib/modules/[OS VERSION]/kernel/net/ipv4/netfilter/ip_tables.ko
/lib/modules/[OS VERSION]/kernel/net/ipv4/netfilter/iptable_filter.ko
The worm configures iptable to drop packets on TCP port 23 and prevents remote users from connecting to the compromised computer.
The worm attempts to terminate the following process:
telnetd
The worm attempts to terminate the process ID written in the following processes and to delete the files:
/var/run/.lightpid
/var/run/.aidrapid
/var/run/lightpid
The worm deletes the following files:
/var/run/.lightscan
/var/run/lightscan
/var/run/mipsel
/var/run/mips
/var/run/sh
/var/run/arm
/var/run/ppc
/var/run/m
/var/run/mi
/var/run/s
/var/run/a
/var/run/p
/var/run/msx
/var/run/mx
/var/run/sx
/var/run/ax
/var/run/px
/var/run/32
/var/run/sel
/var/run/pid
/var/run/gcc
/var/run/dev
/var/run/psx
/var/run/mpl
/var/run/mps
/var/run/sph
/var/run/arml
/var/run/mips.l
/var/run/mipsell
/var/run/ppcl
/var/run/shl
/bin/pp
/bin/mi
/bin/mii
/var/tmp/dreams.install.sh
/var/tmp/ep2.ppc
/usr/bin/wget
/usr/bin/-wget
The worm generates random IP addresses excluding the following:
0.0.0.0 - 0.255.255.255
127.0.0.1 - 127.255.255.255
192.0.2.0 - 192.0.2.255
198.51.100.0 - 198.51.100.255
203.0.113.0 - 203.0.113.255
255.255.255.255
If the worm cannot access TCP port 23, it attempts to send malformed http POST requests to the following paths:
/cgi-bin/php
/cgi-bin/php5
/cgi-bin/php-cgi
/cgi-bin/php.cgi
/cgi-bin/php4
If the worm successfully accesses TCP port 23, it creates the following directory:
/var/run/.zollard/
The worm copies the following files to the directory on the remote computer:
/var/run/.zollard/arm
/var/run/.zollard/ppc
/var/run/.zollard/mips
/var/run/.zollard/mipsel
/var/run/.zollard/x86
/var/run/.zollard/nodes
/var/run/.zollard/sig
The worm executes one of the following files:
/var/run/.zollard/arm
/var/run/.zollard/ppc
/var/run/.zollard/mips
/var/run/.zollard/mipsel
/var/run/.zollard/x86
The worm opens a back door on TCP port 58455 and waits for commands.Last update 05 April 2015