Worm Detected
Updated 10/04/02
Impact
There is evidence that the system has been penetrated by
an Internet worm. Files or system information may have
been transmitted to remote parties, unauthorized file
modifications may have taken place, and backdoors allowing
unauthorized access may be present. Furthermore, it is
likely that the system is being used as a potential launching
point for further propogation of the worm across the
network.
Background
A worm
is a self-replicating program designed to spread across a
network without requiring any outside actions to take place.
The main difference between a worm and a virus is that a
virus relies on human actions, such as opening e-mail attachments or
sharing files, to copy itself from one computer to another,
whereas a worm is able to do so independently, allowing
it to spread much faster.
The Problems
Bugbear worm
10/04/02
The Bugbear worm spreads through MS Windows systems using two methods:
- e-mail:
The worm takes advantage of a well-known vulnerability in Internet
Explorer (IE) that will execute the incoming Bugbear attachment file
when it is previewed in Outlook and Outlook Express. Outlook and
Outlook Express rely on IE to render certain types of e-mail and
attachments. By specifying a special MIME type for itself, Bugbear
is able to cause IE to execute it.
- open NetBIOS file shares: BugBear scans the Internet for
insecure NetBIOS file shares. It attempts to install itself in the
Windows Startup directory so it will be executed when the computer
is rebooted.
Once Bugbear executes on a new host, it takes the following actions:
- Searches the computer for a list of e-mail addresses and, using
its own SMTP engine, sends a copy of itself to each.
- Scans the internet for open NetBIOS file shares and installs
itself where it can.
- Attempts to terminate a long list of processes which represent
the majority of popular antivirus and personal firewall software.
The worm will succeed in disabling the security software unless
there is specific protection from this type of attack.
- Creates a Windows registry key to cause itself to be executed
again upon reboot.
- Installs a backdoor for itself on TCP port 36794 which can be
can be used to relay keystrokes (e.g., passwords and credit card
numbers) and execute system commands.
Ramen worm
The Ramen worm spreads using Red Hat Linux 6.2 and 7.0
systems by exploiting well-known vulnerabilities in
wu-ftpd, rpc.statd,
and LPRng. When the Ramen worm installs
itself on a new host, it takes the following actions:
- Shuts off the services it uses to propogate, thereby
preventing other instances of the worm from re-infecting
the host
- If the host is running a web server, replaces the home
page with its own page
- Sends e-mail to an anonymous account, presumably the
author of the worm, for the purpose of tracking the worm's
spread
- Opens TCP port 27374 for the purpose of distributing
itself as a .tar file
- Scans a random block of addresses for vulnerable versions
of wu-ftpd, rpc.statd,
and LPRng, and if one is found, exploits
the vulnerability to retrieve and install itself on the target
host
Lion worm
The Lion worm spreads by scanning random Class B networks for
well-known vulnerabilities in BIND domain name servers. When
a vulnerable server is found, the worm exploits the
vulnerability and does a number of things to the victim.
The most serious things it does are the following:
- Sends copies of the /etc/passwd and
/etc/shadow files and other system information
to an address in the china.com domain.
- Deletes the /etc/hosts.deny file, thus
disabling any access control that may have been provided
by TCP wrappers
- Opens a backdoor root shell on TCP ports 33567 and 60008
- Installs a trojan horse version of Secure Shell (ssh) in
place of the Name Service Caching Daemon (nscd) and
runs it on TCP port 33568
- Installs a trojan horse version of the login utility
- Kills the syslogd process, thus disabling the
system's logging capabilities
- Installs the t0rn rootkit, which replaces several
system commands with trojan horse versions
Adore worm
The Adore worm, also known as the Red worm, is similar to
the Ramen and Lion worms. It spreads itself by exploiting
vulnerabilities in LPRng, rpc.statd,
wu-ftpd, and BIND. After gaining access
to a system, it performs the following actions:
- Replaces the system binary ps with
a Trojan horse version and moves the original to /usr/bin/adore
- Installs files in /usr/lib/lib
- Sends e-mail to four different e-mail addresses containing
the contents of /etc/shadow (the encrypted
system passwords) and other sensitive information about the
system
- Runs a backdoor program called icmp which
opens a root shell on a pre-defined port after receiving
an ICMP request of a particular length.
- Sets up a cron job to remove all traces of the worm's
existence, except the backdoor, and reboot at 4:02 A.M.
There is also a variant of Adore which performs several
other actions in addition to the above, such as
adding two new system accounts and sending out e-mail
to two more e-mail addresses.
lprw0rm
The lprw0rm spreads by scanning random Class B networks
for vulnerable LPRng print
servers. Upon gaining access to a vulnerable machine,
the worm performs the following actions:
- Downloads a copy of itself from a web site
- Creates two backdoor accounts called kork and kork2,
the latter of which having root privileges
- Opens a root shell on port 666
- Replaces the system login and ps utilities
with trojan horse versions
- Mails sensitive system information to an outside e-mail
address
- Runs an IRC bot which connects to an IRC channel and
allows a remote attacker to execute arbitrary commands
The web site which was being used to distribute the worm
has since been shut down, thereby stopping the spread of
this worm. However, even without the ability to download
itself from the web site, the worm can still create the
backdoor accounts and root shell on any new victim machines.
sadmind/IIS worm
The sadmind/IIS worm affects Solaris and Windows servers.
It propogates by exploiting a buffer overflow condition in
the Solaris sadmind service. After gaining
access to a Solaris host, it performs the following actions:
- Runs an exploit against vulnerable IIS systems, and if
successful, changes the web page on the IIS system
- Opens a root shell on TCP port 600
- Adds the string "+ +" to the .rhosts
file under the root user's home directory
- Creates directories called /dev/cub and
/dev/cuc which contain logs and tools used
by the worm
- Propogates to other vulnerable Solaris systems
- Modifies the Solaris system's index.html
file after compromising 2000 IIS systems.
Code Red worm
The Code Red worm spreads by exploiting a vulnerability
in the handling of .ida files by Microsoft
IIS web servers. The worm's most notable actions are spawning
numerous processes which search for other vulnerable web
servers at random, and replacing the web server's home page. What
is unique about this worm is that it resides only in memory
and doesn't create or modify any files on the computer.
The apparently defaced web page is not actually saved to
the disk, but appears because the worm intercepts requests
from web browsers.
Code Red II worm
The Code Red II worm is not related to the Code Red worm,
but was apparently inspired by the original worm, and
propogates using the same vulnerability in Microsoft IIS.
It uses an algorithm to select new target addresses which
are likely to be well populated, thus accelerating its
propogation.
The Code Red II worm is potentially more dangerous than
the original Code Red worm because it opens a backdoor
on infected systems. By copying cmd.exe
to the \inetpub\scripts and
\progra~1\common~1\system\MSADC\ directories,
it allows commands to be executed from any web browser.
Furthermore, a Trojan Horse program called explorer.exe
modifies the registry to create a
virtual web root encompassing the entire drive, thus allowing
access to cmd.exe even if the copies mentioned
above are deleted.
Nimda and Nimda.E worm
The Nimda worm, also known as the Concept Virus, is capable of spreading very fast because
it uses four separate exploits to propogate:
- IIS vulnerabilities, including the Directory Traversal
vulnerability and backdoors left behind by the Code Red and
sadmin/IIS worms. Upon finding a vulnerable server, the worm
copies a file called Admin.dll to the server
using the TFTP protocol.
- Automatic Execution of Embedded MIME types,
which causes an attachment called readme.exe
to automatically run when an e-mail message is opened. The
attachment is sent in an e-mail message which sometimes comes
from a spoofed address.
- Infection of web pages with malicious JavaScript which
causes some browsers to automatically download and execute a file called
readme.eml, due to the same vulnerability as in
the item above. The worm appends the malicious JavaScript
code to all files ending in .html, .htm,
and .asp.
- Copying itself using Open File Shares. The worm
copies a file called readme.eml to every writable directory,
including shared network drives where it can be run on other
systems.
In addition to the actions mentioned above which the worm
uses to propogate, it also does the following:
- replaces many executable files on the system with Trojan Horse versions
which run the worm any time an infected file is run
- positions itself in such a way that it is executed
whenever a document is opened
- creates a backdoor on the system by enabling the guest
account and by sharing the C drive so that the entire drive
is readable and writable remotely
The Nimda.E worm is a variation of the Nimda worm. It has all
of the same characteristics as the Nimda worm, but the filenames it uses
have been changed to avoid detection by intrusion detection tools and
scanners.
Apache/mod_ssl worm
9/17/02
The Apache/mod_ssl worm, also known as the Slapper worm
and the bugtraq.c worm, spreads by exploiting a vulnerability
in OpenSSL through Apache web servers with the mod_ssl
module. Upon successful exploitation of the vulnerability,
the worm compiles and runs a copy of itself, called
/tmp/.bugtraq.c, on the vulnerable server.
Once running, it will search for other potentially vulnerable
web servers to which to spread itself, and will act as
a distributed denial-of-service agent. The agent communicates
with agents on other infected servers to send and receive
attack commands and information about other infected hosts.
Resolution
The paragraphs below explain how to remove a worm
from an infected system. However, removal of the worm
does not solve the problem at its roots. The presence of
the worm is evidence that a critical vulnerability exists
on the host. The system should be taken offline until
it is certain that the vulnerable services are upgraded
to the latest, patched versions.
To remove the Bugbear worm you can run
McAfee AVERT Stinger
or Symantec's
W32.Bugbear@MM Removal Tool.
To remove the Ramen worm, follow these steps:
- Delete /usr/src/.poop and /sbin/asp.
- If it exists, remove /etc/xinetd.d/asp
- Remove all lines in /etc/rc.d/rc.sysinit
which refer to any file in /etc/src/.poop.
- Remove any lines in /etc/inetd.conf
referring to /sbin/asp.
- Reboot the system or manually kill any processes such
as synscan, start.sh,
scan.sh, hackl.sh,
or hackw.sh.
No procedure for removing the Lion worm has been
publicized at this time. It is recommended that infected
machines be taken offline until either the system can
be restored from a clean backup or a removal procedure
is developed. Check SANS
regularly for any further developments.
To remove the Adore worm, download and run
the Adorefind
utility. It can be run on an infected system to find
files which are part of the worm and delete them.
There is no standard procedure for removing lprw0rm.
If your system has been compromised by this worm, it
would be advisable to restore files such as /etc/inetd.conf
(or equivalent), /etc/passwd, /etc/shadow,
/bin/ps, and /bin/login from
backups, and to delete everything found in /dev/.kork.
There is no tool or procedure available to remove the
sadmind/IIS worm. It is recommended that the
system be taken offline until it can be restored from
backups and until the vulnerabilities in sadmind
and IIS have been patched. See
Sun
Security Bulletin #00191 for Solaris patch information
and Microsoft
Security Bulletin 00-078 for IIS patch information.
To remove the Code Red worm, simply reboot the computer.
Unlike the Code Red worm, the Code Red II worm cannot
be remedied simply by rebooting the computer. Although the
worm itself is entirely memory-resident, the backdoors which it
creates remain on the system after a reboot. To remove the backdoors,
delete the root.exe files from both the
\inetpub\scripts directory and the
\progra~1\common~1\system\MSADC directory.
Also delete the explorer.exe files from both
C:\ and D:\ before rebooting
the system, because those are Trojan Horse programs which run
after a reboot. If the system has already been rebooted, remove
the virtual roots /c and /d from
your IIS web server configuration, and reset the affected
registry keys as described in
SecurityFocus Incidents.
Since the Nimda worm makes extensive changes to the system,
an entire infected system should be deleted and reinstalled.
Be sure to install all necessary patches before re-connecting
the machine to the network. See Microsoft Security Bulletins
01-020,
01-027, and
01-044.
To remove the Apache/mod_ssl worm, kill the process
and delete it from the system:
killall -9 .bugtraq
rm /tmp/.bugtraq /tmp/.uubugtraq /tmp/.bugtraq.c
Where can I read more about this?
The Bugbear worm was discussed in AusCERT advisory
AL-2002.12
and the update
AU-2002.008.
More information about the IE vulnerability which enables the e-mail
method of Bugbear propagation is available in Microsoft Security Bulletin
MS01-20.
The Ramen worm was discussed in an
X-Force advisory and in the
Symantec AntiVirus Research Center.
More information about the Lion worm is available from the
SANS Global Incident Analysis Center.
More information about the Adore worm is also available from
SANS.
More information about lprw0rm was posted to the
SecurityFocus Incidents mailing list.
More information about the sadmind/IIS worm is available
in CERT Advisory
2001-11.
More information about the Code Red worm is available
in an alert from eEye
and in CERT Advisories 2001-19
and 2001-23.
The Code Red II worm was analyzed by
SecurityFocus
ARIS.
The Nimda worm was reported in
CERT Advisory 2001-26,
CIAC Bulletin L-144, and
SANS Emergency Incident Handler.
The Nimda.E worm was reported in the
SANS Emergency Incident Handler.
The Apache/mod_ssl worm was reported in
CERT
Advisory 2002-27.
For general information about worms and how they differ
from viruses, see the Symantec
AntiVirus Research Center.