Solaris Telnet Scanning — Possible Worm

This morning on ATLAS we saw a pair of hosts scanning for Telnet servers. While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to a recent Solaris bug, specifically CVE-2007-0882 (the telnet “-froot” bug). Two boxes in the same subnet scanning for it and hitting ATLAS; reports from another site indicate another box on that same subnet scanning them.

Last night a team member found what appears to a Sun Solaris telnet worm using this vulnerability. What’s kind of cute about the worm is that the strings contain a lot of old school messages, like the WANK worm, the Witty Worm, and a few others (including some to Gobbles). Here’s the file manifest and MD5’s of the files:

MD5 (./sunworm.tar.gz) = cf4a9970f3b1f790097f948a89b3c0b6
MD5 (./adm/acctadm) = 499ea70ee52a0dc8157bd5af17939dd2
MD5 (./adm/.i86pc) = beb297d10410351c3de482011ad29930
MD5 (./adm/.lp-door.i86pc) = d941a72058f87c26204aeafc98f44875
MD5 (./adm/.lp-door.sun4) = d48a524ec0ad6c36c248e06e0b6efffa
MD5 (./adm/.sun4) = 499ea70ee52a0dc8157bd5af17939dd2
MD5 (./lp/lpfilter) = d48a524ec0ad6c36c248e06e0b6efffa
MD5 (./lp/.lp-door.sun4) = d48a524ec0ad6c36c248e06e0b6efffa
MD5 (./path_of_adm) = 0d7ca664603b7291fb24b58e22cc6dad
MD5 (./path_of_lp) = 3a3cba85cfb7466001fd3d7900ebb8be
MD5 (./sunworm.zip) = c48866d374859d223b20911c7ad3aa01

The “path of” files just point to the appropriate binary (this worm appears to be cross platform, x86 or SPARC):

/var/adm/sa/.adm
/var/spool/lp/admins/.lp

And the main binaries under “adm/” are built for any platform:

acctadm:        ELF 32-bit MSB executable, SPARC, version 1
.i86pc:         ELF 32-bit LSB executable, Intel 80386, version 1
.lp-door.i86pc: ELF 32-bit LSB executable, Intel 80386, version 1
.lp-door.sun4:  ELF 32-bit MSB executable, SPARC, version 1
.sun4:          ELF 32-bit MSB executable, SPARC, version 1

The worm attempts to log into your systems as the users “lp” or “adm” and execute a bunch of shell commands (some of which are visible in the IDA screen shot below) to set up shop and keep on truckin’. Very old school, reminds me of the old ADM worms I saw back in the late 90’s that got me interested in self-propagating malware in the first place.

If you haven’t patched yet, you should. See the instructions from Sun on how to do that. Better yet just disable Telnet. It’s 2007, after all.