Worm Detected

Impact

Background

The Problems

10/04/02
The Bugbear worm spreads through MS Windows systems using two methods:

• e-mail: The worm takes advantage of a well-known vulnerability in Internet Explorer (IE) that will execute the incoming Bugbear attachment file when it is previewed in Outlook and Outlook Express. Outlook and Outlook Express rely on IE to render certain types of e-mail and attachments. By specifying a special MIME type for itself, Bugbear is able to cause IE to execute it.
• open NetBIOS file shares: BugBear scans the Internet for insecure NetBIOS file shares. It attempts to install itself in the Windows Startup directory so it will be executed when the computer is rebooted.

• Searches the computer for a list of e-mail addresses and, using its own SMTP engine, sends a copy of itself to each.
• Scans the internet for open NetBIOS file shares and installs itself where it can.
• Attempts to terminate a long list of processes which represent the majority of popular antivirus and personal firewall software. The worm will succeed in disabling the security software unless there is specific protection from this type of attack.
• Creates a Windows registry key to cause itself to be executed again upon reboot.
• Installs a backdoor for itself on TCP port 36794 which can be can be used to relay keystrokes (e.g., passwords and credit card numbers) and execute system commands.

The Ramen worm spreads using Red Hat Linux 6.2 and 7.0 systems by exploiting well-known vulnerabilities in wu-ftpd, rpc.statd, and LPRng. When the Ramen worm installs itself on a new host, it takes the following actions:

• Shuts off the services it uses to propogate, thereby preventing other instances of the worm from re-infecting the host
• If the host is running a web server, replaces the home page with its own page
• Sends e-mail to an anonymous account, presumably the author of the worm, for the purpose of tracking the worm's spread
• Opens TCP port 27374 for the purpose of distributing itself as a .tar file
• Scans a random block of addresses for vulnerable versions of wu-ftpd, rpc.statd, and LPRng, and if one is found, exploits the vulnerability to retrieve and install itself on the target host

The Lion worm spreads by scanning random Class B networks for well-known vulnerabilities in BIND domain name servers. When a vulnerable server is found, the worm exploits the vulnerability and does a number of things to the victim. The most serious things it does are the following:

• Sends copies of the /etc/passwd and /etc/shadow files and other system information to an address in the china.com domain.
• Deletes the /etc/hosts.deny file, thus disabling any access control that may have been provided by TCP wrappers
• Opens a backdoor root shell on TCP ports 33567 and 60008
• Installs a trojan horse version of Secure Shell (ssh) in place of the Name Service Caching Daemon (nscd) and runs it on TCP port 33568
• Installs a trojan horse version of the login utility
• Kills the syslogd process, thus disabling the system's logging capabilities
• Installs the t0rn rootkit, which replaces several system commands with trojan horse versions

The Adore worm, also known as the Red worm, is similar to the Ramen and Lion worms. It spreads itself by exploiting vulnerabilities in LPRng, rpc.statd, wu-ftpd, and BIND. After gaining access to a system, it performs the following actions:

• Replaces the system binary ps with a Trojan horse version and moves the original to /usr/bin/adore
• Installs files in /usr/lib/lib
• Sends e-mail to four different e-mail addresses containing the contents of /etc/shadow (the encrypted system passwords) and other sensitive information about the system
• Runs a backdoor program called icmp which opens a root shell on a pre-defined port after receiving an ICMP request of a particular length.
• Sets up a cron job to remove all traces of the worm's existence, except the backdoor, and reboot at 4:02 A.M.

The lprw0rm spreads by scanning random Class B networks for vulnerable LPRng print servers. Upon gaining access to a vulnerable machine, the worm performs the following actions:

• Downloads a copy of itself from a web site
• Creates two backdoor accounts called kork and kork2, the latter of which having root privileges
• Opens a root shell on port 666
• Replaces the system login and ps utilities with trojan horse versions
• Mails sensitive system information to an outside e-mail address
• Runs an IRC bot which connects to an IRC channel and allows a remote attacker to execute arbitrary commands

The sadmind/IIS worm affects Solaris and Windows servers. It propogates by exploiting a buffer overflow condition in the Solaris sadmind service. After gaining access to a Solaris host, it performs the following actions:

• Runs an exploit against vulnerable IIS systems, and if successful, changes the web page on the IIS system
• Opens a root shell on TCP port 600
• Adds the string "+ +" to the .rhosts file under the root user's home directory
• Creates directories called /dev/cub and /dev/cuc which contain logs and tools used by the worm
• Propogates to other vulnerable Solaris systems
• Modifies the Solaris system's index.html file after compromising 2000 IIS systems.

The Code Red worm spreads by exploiting a vulnerability in the handling of .ida files by Microsoft IIS web servers. The worm's most notable actions are spawning numerous processes which search for other vulnerable web servers at random, and replacing the web server's home page. What is unique about this worm is that it resides only in memory and doesn't create or modify any files on the computer. The apparently defaced web page is not actually saved to the disk, but appears because the worm intercepts requests from web browsers.

The Code Red II worm is not related to the Code Red worm, but was apparently inspired by the original worm, and propogates using the same vulnerability in Microsoft IIS. It uses an algorithm to select new target addresses which are likely to be well populated, thus accelerating its propogation.

The Code Red II worm is potentially more dangerous than the original Code Red worm because it opens a backdoor on infected systems. By copying cmd.exe to the \inetpub\scripts and \progra~1\common~1\system\MSADC\ directories, it allows commands to be executed from any web browser. Furthermore, a Trojan Horse program called explorer.exe modifies the registry to create a virtual web root encompassing the entire drive, thus allowing access to cmd.exe even if the copies mentioned above are deleted.

The Nimda worm, also known as the Concept Virus, is capable of spreading very fast because it uses four separate exploits to propogate:

1. IIS vulnerabilities, including the Directory Traversal vulnerability and backdoors left behind by the Code Red and sadmin/IIS worms. Upon finding a vulnerable server, the worm copies a file called Admin.dll to the server using the TFTP protocol.
2. Automatic Execution of Embedded MIME types, which causes an attachment called readme.exe to automatically run when an e-mail message is opened. The attachment is sent in an e-mail message which sometimes comes from a spoofed address.
3. Infection of web pages with malicious JavaScript which causes some browsers to automatically download and execute a file called readme.eml, due to the same vulnerability as in the item above. The worm appends the malicious JavaScript code to all files ending in .html, .htm, and .asp.
4. Copying itself using Open File Shares. The worm copies a file called readme.eml to every writable directory, including shared network drives where it can be run on other systems.

• replaces many executable files on the system with Trojan Horse versions which run the worm any time an infected file is run
• positions itself in such a way that it is executed whenever a document is opened
• creates a backdoor on the system by enabling the guest account and by sharing the C drive so that the entire drive is readable and writable remotely

9/17/02
The Apache/mod_ssl worm, also known as the Slapper worm and the bugtraq.c worm, spreads by exploiting a vulnerability in OpenSSL through Apache web servers with the mod_ssl module. Upon successful exploitation of the vulnerability, the worm compiles and runs a copy of itself, called /tmp/.bugtraq.c, on the vulnerable server. Once running, it will search for other potentially vulnerable web servers to which to spread itself, and will act as a distributed denial-of-service agent. The agent communicates with agents on other infected servers to send and receive attack commands and information about other infected hosts.

Resolution

To remove the Bugbear worm you can run McAfee AVERT Stinger or Symantec's W32.Bugbear@MM Removal Tool.

To remove the Ramen worm, follow these steps:

1. Delete /usr/src/.poop and /sbin/asp.
2. If it exists, remove /etc/xinetd.d/asp
3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any file in /etc/src/.poop.
4. Remove any lines in /etc/inetd.conf referring to /sbin/asp.
5. Reboot the system or manually kill any processes such as synscan, start.sh, scan.sh, hackl.sh, or hackw.sh.

No procedure for removing the Lion worm has been publicized at this time. It is recommended that infected machines be taken offline until either the system can be restored from a clean backup or a removal procedure is developed. Check SANS regularly for any further developments.

To remove the Adore worm, download and run the Adorefind utility. It can be run on an infected system to find files which are part of the worm and delete them.

There is no standard procedure for removing lprw0rm. If your system has been compromised by this worm, it would be advisable to restore files such as /etc/inetd.conf (or equivalent), /etc/passwd, /etc/shadow, /bin/ps, and /bin/login from backups, and to delete everything found in /dev/.kork.

There is no tool or procedure available to remove the sadmind/IIS worm. It is recommended that the system be taken offline until it can be restored from backups and until the vulnerabilities in sadmind and IIS have been patched. See Sun Security Bulletin #00191 for Solaris patch information and Microsoft Security Bulletin 00-078 for IIS patch information.

To remove the Code Red worm, simply reboot the computer.

Unlike the Code Red worm, the Code Red II worm cannot be remedied simply by rebooting the computer. Although the worm itself is entirely memory-resident, the backdoors which it creates remain on the system after a reboot. To remove the backdoors, delete the root.exe files from both the \inetpub\scripts directory and the \progra~1\common~1\system\MSADC directory. Also delete the explorer.exe files from both C:\ and D:\ before rebooting the system, because those are Trojan Horse programs which run after a reboot. If the system has already been rebooted, remove the virtual roots /c and /d from your IIS web server configuration, and reset the affected registry keys as described in SecurityFocus Incidents.

Since the Nimda worm makes extensive changes to the system, an entire infected system should be deleted and reinstalled. Be sure to install all necessary patches before re-connecting the machine to the network. See Microsoft Security Bulletins 01-020, 01-027, and 01-044.

To remove the Apache/mod_ssl worm, kill the process and delete it from the system:

killall -9 .bugtraq
rm /tmp/.bugtraq /tmp/.uubugtraq /tmp/.bugtraq.c

Where can I read more about this?

The Ramen worm was discussed in an X-Force advisory and in the Symantec AntiVirus Research Center.

More information about the Lion worm is available from the SANS Global Incident Analysis Center.

More information about the Adore worm is also available from SANS.

More information about lprw0rm was posted to the SecurityFocus Incidents mailing list.

More information about the sadmind/IIS worm is available in CERT Advisory 2001-11.

More information about the Code Red worm is available in an alert from eEye and in CERT Advisories 2001-19 and 2001-23.

The Code Red II worm was analyzed by SecurityFocus ARIS.

The Nimda worm was reported in CERT Advisory 2001-26, CIAC Bulletin L-144, and SANS Emergency Incident Handler. The Nimda.E worm was reported in the SANS Emergency Incident Handler.

The Apache/mod_ssl worm was reported in CERT Advisory 2002-27.

For general information about worms and how they differ from viruses, see the Symantec AntiVirus Research Center.