Linux/Exploit-Wuftp

This page shows details and results of our analysis on the malware Linux/Exploit-Wuftp

Malware Type: Malware

Malware Sub-type: Exploit

Discovery Date: 2003-09-16

Next Steps:

Minimum DAT

4295 (2003-09-24)

Updated DAT

4295 (2003-09-24)

Minimum Engine

5.1.00

File Length

28631

Description Added

2003-09-16

Description Modified

2003-09-19

Detection of Linux/Exploit-Wuftp was added to cover for a malicious ELF binary file called ftp (name might vary). The filesize was 28631 bytes.

The binary targets Linux RedHat 6.x /Openbsd 3.0/Freebsd 4.6.2 systems, making use of WU 2-6-0/1/2 exploits.

By entering the target IP/hostname remote systems can be remotely exploited and thus be compromised. It tries to connect by ftpd.

-Presence of a malicious file called ftp (name might vary) , having filesize of 28631 bytes

-Compromised Linux/Openbsd/Freebsd systems

-It tries to connect by ftpd.

-It tries to remotely connect to Linux/Openbsd/Freebsd systems to exploit/compromise them. It connects by ftpd.

-Note that ELF type binary files are very specific to OS/flavor/kernel version and usually don't work on slightly different systems.

Detection is included in the specified DAT release.

In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Delete files identified by the scanner, replace them with clean ones from backup or re-install them using the original packages. Reboot the system.

Administrators should regularly check for availability of important security updates/patches.