Worm Detected
Impact
There is evidence that the system has been penetrated by
an Internet worm. Files or system information may have
been transmitted to remote parties, unauthorized file
modifications may have taken place, and backdoors allowing
unauthorized access may be present. Furthermore, it is
likely that the system is being used as a potential launching
point for further propogation of the worm across the
network.
Background
A worm
is a self-replicating program designed to spread across a
network without requiring any outside actions to take place.
The main difference between a worm and a virus is that a
virus relies on human actions, such as sending e-mail or
sharing files, to copy itself from one computer to another,
whereas a worm is able to do so independently, allowing
it to spread much faster.
The Problems
Ramen worm
The Ramen worm spreads using Red Hat Linux 6.2 and 7.0
systems by exploiting well-known vulnerabilities in
wu-ftpd, rpc.statd,
and LPRng. When the Ramen worm installs
itself on a new host, it takes the following actions:
- Shuts off the services it uses to propogate, thereby
preventing other instances of the worm from re-infecting
the host
- If the host is running a web server, replaces the home
page with its own page
- Sends e-mail to an anonymous account, presumably the
author of the worm, for the purpose of tracking the worm's
spread
- Opens TCP port 27374 for the purpose of distributing
itself as a .tar file
- Scans a random block of addresses for vulnerable versions
of wu-ftpd, rpc.statd,
and LPRng, and if one is found, exploits
the vulnerability to retrieve and install itself on the target
host
Lion worm
The Lion worm spreads by scanning random Class B networks for
well-known vulnerabilities in BIND domain name servers. When
a vulnerable server is found, the worm exploits the
vulnerability and does a number of things to the victim.
The most serious things it does are the following:
- Sends copies of the /etc/passwd and
/etc/shadow files and other system information
to an address in the china.com domain.
- Deletes the /etc/hosts.deny file, thus
disabling any access control that may have been provided
by TCP wrappers
- Opens a backdoor root shell on TCP ports 33567 and 60008
- Installs a trojan horse version of Secure Shell (ssh) in
place of the Name Service Caching Daemon (nscd) and
runs it on TCP port 33568
- Installs a trojan horse version of the login utility
- Kills the syslogd process, thus disabling the
system's logging capabilities
- Installs the t0rn rootkit, which replaces several
system commands with trojan horse versions
Adore worm
The Adore worm, also known as the Red worm, is similar to
the Ramen and Lion worms. It spreads itself by exploiting
vulnerabilities in LPRng, rpc.statd,
wu-ftpd, and BIND. After gaining access
to a system, it performs the following actions:
- Replaces the system binary ps with
a Trojan horse version and moves the original to /usr/bin/adore
- Installs files in /usr/lib/lib
- Sends e-mail to four different e-mail addresses containing
the contents of /etc/shadow (the encrypted
system passwords) and other sensitive information about the
system
- Runs a backdoor program called icmp which
opens a root shell on a pre-defined port after receiving
an ICMP request of a particular length.
- Sets up a cron job to remove all traces of the worm's
existence, except the backdoor, and reboot at 4:02 A.M.
There is also a variant of Adore which performs several
other actions in addition to the above, such as
adding two new system accounts and sending out e-mail
to two more e-mail addresses.
lprw0rm
The lprw0rm spreads by scanning random Class B networks
for vulnerable LPRng print
servers. Upon gaining access to a vulnerable machine,
the worm performs the following actions:
- Downloads a copy of itself from a web site
- Creates two backdoor accounts called kork and kork2,
the latter of which having root privileges
- Opens a root shell on port 666
- Replaces the system login and ps utilities
with trojan horse versions
- Mails sensitive system information to an outside e-mail
address
- Runs an IRC bot which connects to an IRC channel and
allows a remote attacker to execute arbitrary commands
The web site which was being used to distribute the worm
has since been shut down, thereby stopping the spread of
this worm. However, even without the ability to download
itself from the web site, the worm can still create the
backdoor accounts and root shell on any new victim machines.
sadmind/IIS worm
The sadmind/IIS worm affects Solaris and Windows servers.
It propogates by exploiting a buffer overflow condition in
the Solaris sadmind service. After gaining
access to a Solaris host, it performs the following actions:
- Runs an exploit against vulnerable IIS systems, and if
successful, changes the web page on the IIS system
- Opens a root shell on TCP port 600
- Adds the string "+ +" to the .rhosts
file under the root user's home directory
- Creates directories called /dev/cub and
/dev/cuc which contain logs and tools used
by the worm
- Propogates to other vulnerable Solaris systems
- Modifies the Solaris system's index.html
file after compromising 2000 IIS systems.
Resolution
The paragraphs below explain how to remove a worm
from an infected system. However, removal of the worm
does not solve the problem at its roots. The presence of
the worm is evidence that a critical vulnerability exists
on the host. The system should be taken offline until
it is certain that the vulnerable services are upgraded
to the latest, patched versions.
To remove the Ramen worm, follow these steps:
- Delete /usr/src/.poop and /sbin/asp.
- If it exists, remove /etc/xinetd.d/asp
- Remove all lines in /etc/rc.d/rc.sysinit
which refer to any file in /etc/src/.poop.
- Remove any lines in /etc/inetd.conf
referring to /sbin/asp.
- Reboot the system or manually kill any processes such
as synscan, start.sh,
scan.sh, hackl.sh,
or hackw.sh.
No procedure for removing the Lion worm has been
publicized at this time. It is recommended that infected
machines be taken offline until either the system can
be restored from a clean backup or a removal procedure
is developed. Check SANS
regularly for any further developments.
To remove the Adore worm, download and run
the Adorefind
utility. It can be run on an infected system to find
files which are part of the worm and delete them.
There is no standard procedure for removing lprw0rm.
If your system has been compromised by this worm, it
would be advisable to restore files such as /etc/inetd.conf
(or equivalent), /etc/passwd, /etc/shadow,
/bin/ps, and /bin/login from
backups, and to delete everything found in /dev/.kork.
There is no tool or procedure available to remove the
sadmind/IIS worm. It is recommended that the
system be taken offline until it can be restored from
backups and until the vulnerabilities in sadmind
and IIS have been patched. See
Sun
Security Bulletin #00191 for Solaris patch information
and Microsoft
Security Bulletin 00-078 for IIS patch information.
Where can I read more about this?
The Ramen worm was discussed in an
X-Force advisory and in the
Symantec AntiVirus Research Center.
More information about the Lion worm is available from the
SANS Global Incident Analysis Center.
More information about the Adore worm is also available from
SANS.
More information about lprw0rm was posted to the
SecurityFocus Incidents mailing list.
More information about the sadmind/IIS patch is available
in CERT Advisory
2001-11.
For general information about worms and how they differ
from viruses, see the Symantec
AntiVirus Research Center.