Devnull
Encyclopedia
Devnull is the name of a computer worm
for the Linux
operating system
that has been named after /dev/null
, Unix
's null device. This worm was found on 30 September 2002.
This worm, once the host has been compromised, downloads and executes a shell script
from a web server. This script downloads a gzip
ped executable file named k.gz from the same address, and then decompresses and runs the file.
This downloaded file appears to be an IRC client. It connects to different channels and waits for commands to process on the infected host.
Then the worm checks for presence of the GCC
compiler on the local system and, if found, creates a directory called .socket2. Next, it downloads a compressed file called devnull.tgz. After decompressing, two files are created: an ELF
binary file called devnull and a source script file called sslx.c. The latter gets compiled into the ELF binary sslx.
The executable will scan for vulnerable hosts and use the compiled program to exploit a known OpenSSL
vulnerability.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
for the Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
that has been named after /dev/null
/dev/null
In Unix-like operating systems, /dev/null or the null device is a special file that discards all data written to it and provides no data to any process that reads from it ....
, Unix
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
's null device. This worm was found on 30 September 2002.
This worm, once the host has been compromised, downloads and executes a shell script
Shell script
A shell script is a script written for the shell, or command line interpreter, of an operating system. It is often considered a simple domain-specific programming language...
from a web server. This script downloads a gzip
Gzip
Gzip is any of several software applications used for file compression and decompression. The term usually refers to the GNU Project's implementation, "gzip" standing for GNU zip. It is based on the DEFLATE algorithm, which is a combination of Lempel-Ziv and Huffman coding...
ped executable file named k.gz from the same address, and then decompresses and runs the file.
This downloaded file appears to be an IRC client. It connects to different channels and waits for commands to process on the infected host.
Then the worm checks for presence of the GCC
GNU Compiler Collection
The GNU Compiler Collection is a compiler system produced by the GNU Project supporting various programming languages. GCC is a key component of the GNU toolchain...
compiler on the local system and, if found, creates a directory called .socket2. Next, it downloads a compressed file called devnull.tgz. After decompressing, two files are created: an ELF
Executable and Linkable Format
In computing, the Executable and Linkable Format is a common standard file format for executables, object code, shared libraries, and core dumps. First published in the System V Application Binary Interface specification, and later in the Tool Interface Standard, it was quickly accepted among...
binary file called devnull and a source script file called sslx.c. The latter gets compiled into the ELF binary sslx.
The executable will scan for vulnerable hosts and use the compiled program to exploit a known OpenSSL
OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
vulnerability.