Jakub Kaminski CA
The development of computer malware targeting Linux machines has been steady during the last few years, but barely comparable to all the nasty stuff designed to compromise Windows systems. The number of new self-replicating malware written for Linux have been small and it seemed like the sudden outburst, which in early 2001 produced a series of Linux worms reported from the Wild (like Ramen, Lion, Adore, Lpdw0rmn or Cheese) turned out to be a flash in a pan.
Precisely speaking, new Linux malware - new backdoors, denial of service attacks, rootkits and other 'hacking' tools - and even some parasitic viruses appear in malware collections on a regular basis. There's always something to keep those investigating Linux malicious code occupied (even though the number of issues to look through is tiny compared to the problems facing Windows users and Windows security experts).
In November 2005, those monitoring Linux threats got a hint of excitement - a worm named Lupper (or Lupii, or Plupii). Now, a couple of months after its first appearance there are more than a dozen different variants on the loose. And the new ones are appearing faster than the previous; and at this stage we don't expect this trend to stop.
There are a few features of the Lupper worms that make them interesting, relatively widespread and quite complex to define. The mixture of ELF binaries, shell scripts, exploited vulnerabilities, quickly changing IP addresses, a mixture of components like downloaders, backdoors and denial of service attack tools - makes it hard to unravel the true picture of the ever-growing Lupper family. The confusion is obvious when one looks at the detection and naming systems implemented in various anti-virus products. The problem with determining which elements belong where and how they are related to others reminds one of the Win32/Bagle puzzle.
The paper will overview the latest Linux malware situation and will concentrate on trying to discover the mechanism behind the evolution of Lupper variants and other related Linux malware.