We intercepted a malware sample being propagated by exploiting
the Horde Help Viewer Remote Code Execution Vulnerability. BTW,
take note that this malware being executed while exploiting the
said vulnerability do not have the code that will exploit the Horde
vulnerability. It is probable that another program is doing the
exploit. This malware is written in Perl script.
Details about the packet:
| File Size: | 540 bytes |
| Smallpot Node: | SP-EMEA01 |
| Target port: | 80 |
More on the Horde exploit at The Horde Project.
March 28th, 2006. The Horde Team has released a
critical security fix for the Horde Application Framework versions
3.0 and above. Version 2.x and earlier releases are not affected.
The fixed Horde versions 3.0.10 and 3.1.1 are available. We
strongly encourage every user to update to the new versions
immediately.
There are exploits in the wild for this
vulnerability. They can only exploit the user the webserver runs
as, but are still serious. Please upgrade now..
Don’t forget to patch if you have vulnerable Horde version and
keep your antivirus pattern files updated.
Update(JoneZ, 23 June 2006 09:43:14)
The malware sample will be detected as PERL_SHELLBOT.AV.
Update(JoneZ, 24 June 2006 09:24:28)
More details about the malware in Trend’s VINFO page.
It uses the Google search engine to search for
servers with PHPBB Remote URLDecode Input Validation vulnerability
using the search string viewtopic.php:. Once it finds a server, it
attempts to upload and execute itself onto a vulnerable system.
Users of vulnerable phpbb software should upgrade to the latest
release. You may download the latest version of phpbb here.