[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)
Randy Arabie
rrarabie at arabie.org
Mon Jan 28 21:29:42 MST 2002
On Mon, 28 Jan 2002, Sean LeBlanc wrote:
> tar xzvf adore.tgz
> cd adore
> ./configure
> make
> ./configure
> pico adore.h
> ls -a
> ./startadore
The adore worm....perhaps? The info below is from:
http://www.sans.org/y2k/adore.htm
<SNIP>
Global Incident Analysis Center
Adore Worm
Version 0.8 - April 12, 2001
William Stearns of Dartmouth's ISTS has written a script Adorefind to
detect the Adore worm. Questions concerning this page or the Adorefind
tool should be directed to handler at incidents.org.
This note is a preliminary characterization of the Adore worm. The
worm code can be modified by anyone at any time. We'll try to keep
this page updated as we learn more.
Description
Adore is a worm that we originally called the Red Worm. It is similar
to the Ramen and Lion worms. Adore scans the Internet checking Linux
hosts to determine whether they are vulnerable to any of the following
well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is
installed by default on Red Hat 7.0 systems. From the reports so far,
Adore appears to have started its spread on April 1.
Adore worm replaces only one system binary (ps), with a trojaned
version and moves the original to /usr/bin/adore. It installs the
files in /usr/lib/lib . It then sends an email to the following
addresses: adore9000 at 21cn.com, adore9000 at sina.com, adore9001 at 21cn.com,
adore9001 at sina.com
Attempts have been made to get these addresses taken offline, but no
response so far from the provider. It attempts to send the following
information:
* /etc/ftpusers
* ifconfig
* ps -aux (using the original binary in /usr/bin/adore)
* /root/.bash_history
* /etc/hosts
* /etc/shadow
Adore then runs a package called icmp. With the options provided with
the tarball, it by default sets the port to listen too, and the packet
length to watch for. When it sees this information it then sets a
rootshell to allow connections. It also sets up a cronjob in cron
daily (which runs at 04:02 am local time) to run and remove all traces
of its existence and then reboots your system. However, it does not
remove the backdoor.
Variant
There appears to be a new variant of the adore worm circulating about
the internet. Adorefind 0.2.4 now finds this variant. Only changes
from the original adore worm have been noted below:
* Adore.V.02
* Butcher.gz
* Adds 2 users to passwd file
* echo "dead:x:1:1:anarchee:/:/bin/sh" >> /etc/passwd;
* echo "h:x:0:0:admin:/:/bin/sh" >> /etc/passwd;
* It installs itself in /dev/.shit
* http://www.geocities.com/butcherdvs/butcher.tgz
>/dev/.shit/red.tgz;
* Sends email to the following 2 address's dvsowned at gmx.net,
dvsowned at hotmail.com
* Unless you have GLIBC_2.1.3 installed, part of this worm does not
work
* Uses a program called Sock to try to setup another backdoor, and
calls /bin/login to allow for a root shell
Detection
Dartmouth's ISTS has developed a utility called adorefind that will
detect the adore files on an infected system. Simply download it,
uncompress it, and run adorefind. It will list which of the suspect
files is on the system.
Download Adorefind Here from Dartmouth's ISTS site.
Snort already detects most of these signatures:
Removal
As adorefind runs, it will give you the option to stop the running
worm jobs and remove the files from the filesystem.
Protection
You can take the document that Chris Brenton created for the Lion
worm, and modify it to look for the Adore worm. You can read it here.
You should also block for outbound emails to the 4 email address's and
block the website address go.163.com
Analysis
For an analysis of the adore package download this file:
http://www.sans.org/y2k/practical/Michael_Reiter_GCIH.zip. Please note
that this is an analysis done on the Adore rootkit which is a Loadable
Kernel Module (LKM) and is not specifically analysis done on the
red.tar adore worm.
References
Further information can be found at:
* http://www.sans.org/current.htm
* http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
CA-2001-02, Multiple Vulnerabilities in BIND
* http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
overflow in transaction signature (TSIG) handling code
* http://www.sans.org/y2k/ramen.htm Information about the Ramen
worm.
* http://www.sans.org/y2k/DDoS.htm DDoS handling steps
* http://www.isc.org/products/BIND/bind-security.html Web site for
the creators of BIND
The following vendor update pages may help you in fixing the original
BIND vulnerability:
Vendor Description URL
Redhat Linux RHSA-2001:007-03 - BIND remote exploit
http://www.redhat.com/support/errata/RHSA-2001-007.html
RHSA-2000-065-06 - LPRng exploit
http://www.redhat.com/support/errata/RHSA-2000-065-06.html< /a>
RHSA-2000-039-02 - wuftpd remote exploit
http://www.redhat.com/support/errata/RHSA-2000-039-02.html< /a>
RHSA-2000-039-02 - Rpc statd exploit
http://www.redhat.com/support/errata/RHSA-2000-043-03.html< /a>
Debian GNU/Linux DSA-026-1 BIND
http://www.debian.org/security/2001/dsa-026
SuSE Linux SuSE-SA:2001:03 - BIND 8 remote root compromise.
http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
Caldera Linux CSSA-2001-008.0 BIND buffer overflow
http://www.caldera.com/support/security/
advisories/CSSA-2001-008.0.txt
http://www.caldera.com/support/security/
advisories/CSSA-2001-008.1.txt
Slackware (linuxsecurity.com advisory) 1/30/2001 : Slackware: 'bind'
vulnerabilities http://www.linuxsecurity.com/advisories/
slackware_advisory-1121.html
Mandrake MDKSA-2001:017 BIND vulnerabilities
http://www.linuxmandrake.com/en/security/20 01/
MDKSA-2001-017.php3?dis=7.2
TurboLinux TLSA2001004-1 BIND vulnerabilities
http://www.turbolinux.com/pipermail/tl-security-announce/
2001-February/000034.html
Immunix 6.2 and 7.0-beta IMNX-2001-70-001-01 BIND vulnerabilities
http://download.immunix.org/ImmunixOS/7.0-beta/
updates/IMNX-2001-70-001-01
Conectiva CLSA-2001:377 BIND vulnerabilities
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000377
Storm Linux (see Debian)
Frequently Asked Questions - FAQ's
I'm running Unix-like Operating System X on Processor Y. Am I
vulnerable to Adore?
The only class of systems currently attacked by the sole known
adore variant are Linux systems running on the x86 processor
architecture. That said, the design allows for future variants to
be released that attack some other Unix lookalike or some other
processor type. At the very least, you should run adorefind to do a
quick check. Also, no matter what your flavor of Unix or CPU type,
you should be applying your vendor's patches!
I'm running some version of Windows. Am I vulnerable?
Almost certainly not. If that changes with some new worm release,
we'll update this page with new information.
Credits
This security advisory was prepared by Matt Fearnow of the SANS
Institute and William Stearns of the Dartmouth Institute for Security
Technology Studies.
The Adorefind utility was written by William Stearns.William is an
Open-Source developer, enthusiast, and advocate from Vermont, USA. His
day job at the Institute for Security Technology Studies at Dartmouth
College pays him to work on network security and Linux projects.
Also contributing efforts go to SANS GIAC contributors, Todd Clark
from Copper Media, Greg Shipley of Neohapsis, Marion Bates of ISTS,
and Alex Bates of ISTS.
Mirrors
This advisory page can be found at http://www.sans.org/y2k/adore.htm
and http://www.ists.dartmouth.edu/IRIA/knowledge_bas
e/tools/adorefind.htm
<< Back to GIAC
Home | Events | Publications | Security Digests
Resources | Web-Based Training | Contact SANS
© 2001 SANS Institute : Office 301.951.0102 : Registration
1.866.570.9927 : Web Contact scott at sans.org
</SNIP>
--
Cheers!
Randy
================================================================
Randy Arabie
GnuPG Key Info --
Fingerprint: 7E25 DFA2 EF72 9551 9C6C 8AA6 6E8C A0F5 7E33 D981
Key ID: 7C603AEF
http://www.arabie.org/keys/rrarabie.gnupg
================================================================
More information about the clue-tech
mailing list