LINUX SECURITY --- May 22, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
__________________________________________________________________________
______
HIGHLIGHTS
* Fighting fire with fire and worms with worms, one white hat hacker is
taking the offensive against a popular vulnerability.
__________________________________________________________________________
____
The Cheese Worm
By Rick Johnson
Yes, yet another Linux worm is spreading like wildfire. I decided to
only discuss unique and newsworthy worms and, as luck would have it,
the "Cheese Worm" is like no other I have seen. This one is a self-
propagating patch.
While the Cheese Worm will not work on all Linux systems due to the
differences between distributions, for many it fixes a vulnerable back
door and then scans the Internet for other vulnerable computers. The
Cheese worm infiltrates the system through the back door installed by
the 1i0n worm, which waits for connections on port 10008. Then, it
removes all inetd services referencing /bin/sh to close the hole. If
successful, it then scans for other systems with an open port 10008 and
starts the cycle over again, regardless of whether the new system is
actually infected.
The worm installs itself in /tmp/.cheese and establishes it as the
working directory to execute commands. When the "go" shell script
executes, the perl script entitled "cheese" goes into action.
The "cheese" script does the following:
* Changes its process name to httpd;
* Deletes the "go" script;
* Checks for a file named ADL in the working directory. If it is
found, then cheese exits. If it is not found, then the ADL file
is created, the string ADL is written into the file, and the
timestamp is set to match the timestamp of the system's /bin/ls
file;
* Reads /etc/inetd.conf and rewrites it, excluding any line that
contains the string /bin/sh;
* Attempts to restart inetd twice, once using /usr/bin/killall and
once using /bin/killall;
* Until the cheese process is somehow killed, it repeats a cycle of
scanning semi-random /16 (e.g., class B) network blocks for hosts
listening on TCP port 10008 using the psm program.
On hosts responding to a TCP port 10008 probe, the worm:
* Establishes a TCP connection to port 10008 of the victim host;
* Starts a listener process on a random TCP socket number from
10000 through 15000;
* The listener process will send a copy of /tmp/.cheese/cheese.uue
to anything that provides two linefeeds after connecting to it's
TCP socket.
Someone's attempt to do some good in the current wake of Trojans and
worms spreading across the Internet unfortunately misses the point.
Accessing someone else's system, regardless of your intentions, remains
part of the problem. A better alternative would be to setup a server
farm that scans for the worm and then emails the domain's admin contact
informing them of the infection. Since port scanning is not illegal,
this would cause far less of an uproar. Of course, administrators would
freak when they see attempts to connect to their server on port 10008.
I guess there is no easy answer except maybe, I don't know, patching
your boxes?
About the author(s)
-------------------
Rick Johnson is currently involved in a number of projects, none of
which he can discuss at this time. Aren't non-disclosure agreements
wonderful? When not involved with those, he heads the development team
for PMFirewall, an Ipchains Firewall and Masquerading Configuration
Utility for Linux. Rick can be contacted via email at rick@pointman.org
or on the web at http://www.pointman.org.
__________________________________________________________________________
______
ADDITIONAL RESOURCES
What Makes Johnny (and Janey) Write Viruses?
Forget the stereotypes -- virus writers range in age and outlook, but
many share an undeveloped sense of ethics, researcher finds.
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Net/3271/PCW01051534
405/
A solution to e-mail virus propagation?
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2052/IWD010507op
swatch/
New worm spreads disguised as virus warning
VBS.Hard.A@mm shows up in users' in-boxes disguised as a virus alert
from antivirus firm Symantec Corp.
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/3832/itw010515vi
rus/
Lion Internet Worm Analysis
http://www.itworld.com/jump/linsec_nl/www.linuxsecurity.com/articles/netwo
rk_security_article-2813.html
__________________________________________________________________________
______
<<attachment: winmail.dat>>