XML RPC worm - New Variant - ELF_LUPPER.B

Published: 0000-00-00
Last Updated: 2005-11-09 20:32:40 UTC
by Patrick Nolan (Version: 4)
0 comment(s)
Update: During the upcoming SANS Webcast Internet Storm Center: Threat Update, Wednesday, November 09 at 1:00 PM EST (1800 UTC/GMT), Johannes Ullrich will discuss the Lupii worm and XML-RPC, be sure to catch this "defense discussion in depth"

Update: Reported IP's include;
Thanks Ryan, Joel and Mike!
We are receiving reports of malware that's an apparent relative of the lupii worm. The reported variant is named "listen".

Ivan Macalintal, Senior Threat Analyst, Trend Micro Inc., sent us the following information;

"LISTEN has a size of 443,364 bytes, but basically it still does the same thing.
MD5 Hashes (as compared with the previous LUPII variants):
5b1176a690feaa128bc83ad278b19ba8 *listen
df0e169930103b504081aa1994be870d *lupii
c9cd7949a358434bfdd8d8f002c7996b *lupii2

Trend has identified this variant as ELF_LUPPER.B, details of their analysis will be posted there shortly.

Additional information on "listen" has been submitted us by a contributors who wishes to remain anonymous. "Listen" is retrieved from and

Thanks very much both of you!

We'll post other details as they develop.

Some people asked us about the possibility to scan their own networks to see if they have some servers vulnerable to exploits that lupii/lupper use.

Probably the easiest way is to do a nmap scan of your network to see which machines have services listening on port 80 and then to run a customized Nessus scan. Nessus has some plugins which can be used to detect various XML-RPC vulnerable packages.

Those plugins are:

19518 - phpAdsNew / phpPgAds < 2.0.6 Multiple Vulnerabilities
18600 - Serendipity XML-RPC for PHP Remote Code Injection Vulnerability
18601 - WordPress < Multiple Vulnerabilities
18640 - Drupal XML-RPC for PHP Remote Code Injection Vulnerability
16189 - AWStats configdir parameter arbitrary cmd exec

Let us know how (un)successful your scans are.
Just a short update: all these plugins, but #16189, require a registered or direct plugin feed from Nessus - they are not GPLed.
Thanks to George for letting us know.

0 comment(s)


Diary Archives