__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Linux worm Adore April 4, 2001 22:00 GMT Number L-067 ______________________________________________________________________________ PROBLEM: A new worm variant, Adore, of the Linux worms Ramen & Lion has been discovered by SANS. This is the continued evolution of the Ramen & Lion worm capabilities PLATFORM: Linux x86 systems which are not patched with the latest releases of/patches for LPRng, rpc-statd, wu-ftpd, and BIND. DAMAGE: The new worm scans systems for exploitable holes in LPRng, rpc-statd, wu-ftpd and BIND. This exploit gains root access and installs a backdoor on a system. The worm also mails system information to specific e-mail addresses and compromises some system files. SOLUTION: All systems should be patched to the latest releases/patches. If a system has been infected, use the SANS utility named 'adorefind' to search an infected system for Adore installed files. Keep in mind that as the worm mutates in the future, the utility may not find all changed files/directories. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. These vulnerabilities targeted by Adore are ASSESSMENT: being actively exploited. However, CIAC has received one report of the worm itself. ______________________________________________________________________________ [****** Begin SANS Bulletin ******] William Stearns has written a script Adorefind to detect the Adore worm (see Removal, below, for instructions). Questions concerning this page or the Adorefind tool should be directed to intrusion@sans.org. This note is a preliminary characterization of the Adore worm. The worm code can be modified by anyone at any time. We'll try to keep this page updated as we learn more. Description Adore is a worm that we originally called the Red Worm. It is similar to the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to determine whether they are vulnerable to any of the following well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default on Red Hat 7.0 systems. From the reports so far, Adore appears to have started its spread on April 1. Adore worm replaces only one system binary (ps), with a trojaned version and moves the original to /usr/bin/adore. It installs the files in /usr/lib/lib. It then sends an email to the following addresses: adore9000@21cn.com, adore9000@sina.com, adore9001@21cn.com, adore9001@sina.com. Attempts have been made to get these addresses taken offline, but no response so far from the provider. It attempts to send the following information: /etc/ftpusers ifconfig ps -aux (using the original binary in /usr/bin/adore) /root/.bash_history /etc/hosts /etc/shadow Adore then runs a package called icmp. With the options provided with the tarball, it by default sets the port to listen too, and the packet length to watch for. When it sees this information it then sets a rootshell to allow connections. It also sets up a cronjob in cron daily (which runs at 04:02 am local time) to run and remove all traces of its existence and then reboots your system. However, it does not remove the backdoor. Detection We have developed a utility called adorefind that will detect the adore files on an infected system. Simply download it, uncompress it, and run adorefind. It will list which of the suspect files is on the system. Download Adorefind Here or Here . Once you've downloaded it, go to the directory that contains the tar file and run the following commands: tar -xzvf adorefind-0.2.0.tar.gz cd adorefind-0.2.0 ./adorefind For reference, the md5 checksums for the tar itself, the exectuable "adorefind" script and the detectlib library should match the following: f760ccae518c96b30488a7566d389f82 adorefind b8b76bc3ff4719818b7aaefcf00a5dcf detectlib 2734de0b439d2701afbdcfc85ba4dedf adorefind-0.2.0.tar.gz Snort already detects most of these signatures: Removal As adorefind runs, it will give you the option to stop the running worm jobs and remove the files from the filesystem. Protection You can take the document that Chris Brenton created for the Lion worm, and modify it to look for the Adore worm. You can read it here. You should also block for outbound emails to the 4 email address's. References Further information can be found at: http://www.sans.org/current.htm http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code http://www.sans.org/y2k/ramen.htm Information about the Ramen worm. http://www.sans.org/y2k/DDoS.htm DDoS handling steps http://www.isc.org/products/BIND/bind-security.html Web site for the creators of BIND The following vendor update pages may help you in fixing the original BIND vulnerability: Vendor Description URL Redhat Linux RHSA-2001:007-03 - BIND remote exploit http://www.redhat.com/support/errata/ RHSA-2001-007.html RHSA-2000-065-06 - LPRng exploit http://www.redhat.com/support/errata/ RHSA-2000-065-06.html RHSA-2000-039-02 - wuftpd remote exploit http://www.redhat.com/support/errata/RHSA-2000-039-02.html RHSA-2000-039-02 - Rpc statd exploit http://www.redhat.com/support/errata/ RHSA-2000-043-03.html Debian GNU/Linux DSA-026-1 BIND http://www.debian.org/security/2001/dsa-026 SuSE Linux SuSE-SA:2001:03 - BIND 8 remote root compromise. http://www.suse.com/de/support/security/ 2001_003_bind8_ txt.txt Caldera Linux CSSA-2001-008.0 BIND buffer overflow http://www.caldera.com/support/security/ advisories/CSSA-2001-008.0.txt http://www.caldera.com/support/security/ advisories/CSSA-2001-008.1.txt Slackware (linuxsecurity.com advisory) 1/30/2001 : Slackware: 'bind' vulnerabilities http://www.linuxsecurity.com/advisories/ slackware_advisory-1121.html Mandrake MDKSA-2001:017 BIND vulnerabilities http://www.linuxmandrake.com/en/security/ 2001/ MDKSA-2001-017.php3?dis=7.2 TurboLinux TLSA2001004-1 BIND vulnerabilities http://www.turbolinux.com/pipermail/tl-security-announce/ 2001-February/000034.html Immunix 6.2 and 7.0-beta IMNX-2001-70-001-01 BIND vulnerabilities http://download.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2001-70-001-01 Conectiva CLSA-2001:377 BIND vulnerabilities http://distro.conectiva.com/atualizacoes/ ?id=a&anuncio=000377 Storm Linux (see Debian) Frequently Asked Questions - FAQ's I'm running Unix-like Operating System X on Processor Y. Am I vulnerable to Adore? The only class of systems currently attacked by the sole known lion variant are Linux systems running on the x86 processor architecture. That said, the design allows for future variants to be released that attack some other Unix lookalike or some other processor type. At the very least, you should run adorefind to do a quick check. Also, no matter what your flavor of Unix or CPU type, you should be applying your vendor's patches! I'm running some version of Windows. Am I vulnerable? Almost certainly not. If that changes with some new worm release, we'll update this page with new information. Credits This security advisory was prepared by Matt Fearnow of the SANS Institute and William Stearns of the Dartmouth Institute for Security Technology Studies. The Lionfind utility was written by William Stearns.William is an Open-Source developer, enthusiast, and advocate from Vermont, USA. His day job at the Institute for Security Technology Studies at Dartmouth College pays him to work on network security and Linux projects. Also contributing efforts go to SANS GIAC contributors, Todd Clark from Copper Media, Greg Shipley of Neohapsis, Marion Bates of ISTS, and Alex Bates of ISTS. Mirrors This advisory page can be found at http://www.sans.org/y2k/adore.htm and http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind.htm [****** End SANS Bulletin ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of William Stearns, Institute For Security Technology Studies for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-056: The Naked Wife (W32.Naked@mm) Trojan L-057: Kerberos /tmp Root Vulnerability L-058: HPUX Sec. Vulnerability asecure L-059: Microsoft IIS WebDAV Denial of service Vulnerability L-061: Microsoft IE can Divulge Location of Cached Content L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call L-064: The Lion Internet Worm DDOS Risk L-065: Solaris Exploitation of snmpXdmid L-066: Internet Explorer MIME Mime Header Vulnerability