Jump to content

Devnull

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 206.108.31.34 (talk) at 16:59, 25 March 2008 (Changed 'the known SSL vulnerability' to 'a known SSL vulnerability', as more than one exists.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Devnull is the name of a computer worm for the Linux operating system which has been named after /dev/null, Unix's null device. This worm was found on 30 September 2002.

This worm, once the host has been compromised, downloads and executes a shell script from a web server. This script downloads a gzipped executable file named k.gz from the same address, and then decompresses and runs the file.

This downloaded file appears to be an IRC client. It connects to different channels and waits for commands to process on the infected host.

Then the worm checks for presence of the GCC compiler on the local system and, if found, it creates a directory called .socket2. Next it downloads a compressed file called devnull.tgz. After decompressing, two files are created: an ELF binary file called devnull and a source script file called sslx.c. The latter gets compiled into the ELF binary sslx.

The executable will scan for vulnerable hosts and it will use the compiled program to exploit a known OpenSSL vulnerability.

Infection check

It is possible, viable and easy to see if a system has this particular worm, provided that the system has slocate or similar (for example locate). Simply run slocate devnull and see if it finds such a file. However, it is recommended that you update your locate database before doing so, to ensure nothing is missed; on many Linux systems, this can be done by running 'updatedb'.

See also


Stub icon

This malware-related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Devnull&oldid=200833221"