Classification

Category :

Worm

Type :

-

Aliases :

Mare.D, Net-Worm.Linux.Mare.d, Linux.Plupii.C, Unix/ShellBot.C

Summary

Mare.D is a network worm that propagates by exploiting vulnerabilities in the Mambo content management system and the PHP XML-RPC library. The worm installs several backdoors to the compromised system.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The main component of the Mare.D worm is written in C and compiled with the GNU C compiler. Mare.D consists of several components, written in C, shell script and Perl.

Propagation

Mare.D scans random hosts for vulnerable installations of the Mambo content management system and PHP XML-RPC.

Exploiting these vulnerabilities the worm downloads a small shell script that installs the rest of the components:

  • /tmp/.temp/cb - Connectback shell backdoor
  • /tmp/.temp/https - IRC-controlled backdoor
  • /tmp/.temp/ping.txt - Connectback shell backdoor
  • /tmp/.temp/httpd - Main worm component

Payload

During infection Mare.D installs several backdoors to the compromised system. Two of them, 'cb' and 'ping.txt' are connectback shell backdoors, that connect to a remote host on 8080/TCP and open an interactive shell on the infected host. The third one is an IRC-controlled backdoor, written in Perl, which joins an IRC channel an awaits commands.

The main component of the worm also listens on 27015/UDP port for commands from the worm author. Through this port the attacker can issue different commands, for example update of the main component.