TUCoPS :: Linux :: General :: ciacl067.txt

Linux worm Adore

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                                Linux worm Adore

April 4, 2001 22:00 GMT                                           Number L-067
______________________________________________________________________________
PROBLEM:       A new worm variant, Adore, of the Linux worms Ramen & Lion has
               been discovered by SANS.  This is the continued evolution of the
               Ramen & Lion worm capabilities
PLATFORM:      Linux x86 systems which are not patched with the latest releases 
               of/patches for LPRng, rpc-statd, wu-ftpd, and BIND. 
DAMAGE:        The new worm scans systems for exploitable holes in LPRng, 
               rpc-statd, wu-ftpd and BIND. This exploit gains root access and 
               installs a backdoor on a system. The worm also mails system 
               information to specific e-mail addresses and compromises some 
               system files. 
SOLUTION:      All systems should be patched to the latest releases/patches. 
               If a system has been infected, use the SANS utility named 
               'adorefind' to search an infected system for Adore installed 
               files.  Keep in mind that as the worm mutates in the future,
               the utility may not find all changed files/directories.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. These vulnerabilities targeted by Adore are
ASSESSMENT:    being actively exploited. However, CIAC has received one report
               of the worm itself. 
______________________________________________________________________________

[******  Begin SANS Bulletin ******]

William Stearns has written a script Adorefind to detect the Adore worm (see Removal, below, for instructions). Questions concerning this page or the Adorefind tool should be directed to intrusion@sans.org. 

This note is a preliminary characterization of the Adore worm. The worm code can be modified by anyone at any time. We'll try to keep this page updated as we learn more. 

Description

Adore is a worm that we originally called the Red Worm. It is similar to the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to determine whether they are vulnerable to any of the following well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default on Red Hat 7.0 systems. From the reports so far, Adore appears to have started its spread on April 1. 

Adore worm replaces only one system binary (ps), with a trojaned
version and moves the original to /usr/bin/adore. It installs the files 
in /usr/lib/lib.  It then sends an email to the following addresses:
adore9000@21cn.com, adore9000@sina.com, adore9001@21cn.com, adore9001@sina.com.

Attempts have been made to get these addresses taken offline, but no response so far from the provider. It attempts to send the following information: 

/etc/ftpusers 
ifconfig 
ps -aux (using the original binary in /usr/bin/adore) 
/root/.bash_history 
/etc/hosts 
/etc/shadow 

Adore then runs a package called icmp. With the options provided with the tarball, it by default sets the port to listen too, and the packet length to watch for. When it sees this information it then sets a rootshell to allow connections. It also sets up a cronjob in cron daily (which runs at 04:02 am local time) to run and remove all traces of its existence and then reboots your system. However, it does not remove the backdoor. 

Detection

We have developed a utility called adorefind that will detect the adore files on an infected system. Simply download it, uncompress it, and run adorefind. It will list which of the suspect files is on the system.

Download Adorefind Here or Here . Once you've downloaded it, go to the directory that contains the tar file and run the following commands:

tar -xzvf adorefind-0.2.0.tar.gz
cd adorefind-0.2.0
./adorefind

For reference, the md5 checksums for the tar itself, the exectuable "adorefind" script and the detectlib library should match the following: 


f760ccae518c96b30488a7566d389f82  adorefind
b8b76bc3ff4719818b7aaefcf00a5dcf  detectlib
2734de0b439d2701afbdcfc85ba4dedf  adorefind-0.2.0.tar.gz

Snort already detects most of these signatures:

Removal

As adorefind runs, it will give you the option to stop the running worm jobs and remove the files from the filesystem. 

Protection

You can take the document that Chris Brenton created for the Lion worm, and modify it to look for the Adore worm. You can read it here. You should also block for outbound emails to the 4 email address's.

References

Further information can be found at:

http://www.sans.org/current.htm
http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND 
http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code 
http://www.sans.org/y2k/ramen.htm Information about the Ramen worm. 
http://www.sans.org/y2k/DDoS.htm DDoS handling steps 
http://www.isc.org/products/BIND/bind-security.html Web site for the creators of BIND 


The following vendor update pages may help you in fixing the original BIND vulnerability: 

Vendor	Description 	URL 
Redhat Linux 	RHSA-2001:007-03 - BIND remote exploit	http://www.redhat.com/support/errata/
RHSA-2001-007.html 
	RHSA-2000-065-06 - LPRng exploit	http://www.redhat.com/support/errata/
RHSA-2000-065-06.html
	RHSA-2000-039-02 - wuftpd remote exploit	http://www.redhat.com/support/errata/RHSA-2000-039-02.html
	RHSA-2000-039-02 - Rpc statd exploit	http://www.redhat.com/support/errata/
RHSA-2000-043-03.html
Debian GNU/Linux	DSA-026-1 BIND	http://www.debian.org/security/2001/dsa-026
SuSE Linux	SuSE-SA:2001:03 - BIND 8 remote root compromise.	http://www.suse.com/de/support/security/
2001_003_bind8_ txt.txt
Caldera Linux	CSSA-2001-008.0 BIND buffer overflow	http://www.caldera.com/support/security/
advisories/CSSA-2001-008.0.txt 

http://www.caldera.com/support/security/
advisories/CSSA-2001-008.1.txt 
Slackware (linuxsecurity.com advisory)	1/30/2001 : Slackware: 'bind' vulnerabilities 	http://www.linuxsecurity.com/advisories/
slackware_advisory-1121.html 
Mandrake	MDKSA-2001:017 BIND vulnerabilities 	http://www.linuxmandrake.com/en/security/
2001/ MDKSA-2001-017.php3?dis=7.2 
TurboLinux	TLSA2001004-1 BIND vulnerabilities	http://www.turbolinux.com/pipermail/tl-security-announce/ 2001-February/000034.html
Immunix 6.2 and 7.0-beta	IMNX-2001-70-001-01 BIND vulnerabilities	http://download.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2001-70-001-01
Conectiva	CLSA-2001:377 BIND vulnerabilities	http://distro.conectiva.com/atualizacoes/
?id=a&anuncio=000377 
Storm Linux	(see Debian)	

Frequently Asked Questions - FAQ's
I'm running Unix-like Operating System X on Processor Y. Am I vulnerable to Adore? 

The only class of systems currently attacked by the sole known lion variant are Linux systems running on the x86 processor architecture. That said, the design allows for future variants to be released that attack some other Unix lookalike or some other processor type. At the very least, you should run adorefind to do a quick check. Also, no matter what your flavor of Unix or CPU type, you should be applying your vendor's patches! 

I'm running some version of Windows. Am I vulnerable? 

Almost certainly not. If that changes with some new worm release, we'll update this page with new information. 

Credits

This security advisory was prepared by Matt Fearnow of the SANS Institute and William Stearns of the Dartmouth Institute for Security Technology Studies. 

The Lionfind utility was written by William Stearns.William is an Open-Source developer, enthusiast, and advocate from Vermont, USA. His day job at the Institute for Security Technology Studies at Dartmouth College pays him to work on network security and Linux projects.

Also contributing efforts go to SANS GIAC contributors, Todd Clark from Copper Media, Greg Shipley of Neohapsis, Marion Bates of ISTS, and Alex Bates of ISTS. 

Mirrors

This advisory page can be found at http://www.sans.org/y2k/adore.htm and http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind.htm

[******  End SANS Bulletin ******]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of William Stearns, Institute For Security Technology Studies for the 
information contained in this bulletin.
_______________________________________________________________________________






CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-056: The Naked Wife (W32.Naked@mm) Trojan
L-057: Kerberos /tmp Root Vulnerability
L-058: HPUX Sec. Vulnerability asecure
L-059: Microsoft IIS WebDAV Denial of service Vulnerability
L-061: Microsoft IE can Divulge Location of Cached Content
L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft
L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call
L-064: The Lion Internet Worm DDOS Risk
L-065: Solaris Exploitation of snmpXdmid
L-066: Internet Explorer MIME Mime Header Vulnerability

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH