Bugtraq mailing list archives
Re: ADM Worm. Worm for Linux x86 found in wild.
From: mixter () HOME POPMAIL COM (Mixter)
Date: Fri, 26 Mar 1999 21:17:40 +0100
The "ADM w0rm" is public and can be found at: http://adm.isp.at/ADM/ADMw0rm-v1.tar The public version solely exploits the name server iquery bug, although it is fairly easy to make it exploit ANY remote vulnerability. (Put in BSD/Sun exploits and it wouldn't be too linux specific anymore. :&) Ben Cantrick (Macky Stingray) wrote:
How it picks the IP addresses to scan is not presently known to me. Presumably, the "gimmieip" binary takes care of that. Someone with more time can dissect it and post the results.
True, it will start with a random IP number, then scan sequentially onwards, e.g. 1.1.1.1 1.1.1.2 etc. and re-start at 255.255.255.255. The infection routine works like this (shell script): ./gimmeip | ./incremental | ./scanner | ./exploit
As far as disinfection, I have not had time to work up a disinfection procedure. It could be as simple as rebooting to single-user and deleting
Yes, its simple. Remove the "w0rm" user from /etc/passwd and kill its processes. The security risk is then eliminated (Remember to patch your vulnerable daemon(s), of course). Also, since this worm swallows LOTS of bandwidth by its permanent scanning, watch for "w0rm" scans that might occur on your nets. Then try to telnet to the scanning host as user "w0rm" with no password. If you succeed, simply kill -9 -1 and notify the admin. However, the worm seems to be worked on as a private version as well, and those could do other things and hide themselves elsewhere, so there is no guarantee that cleaning or identification by typical strings/files is reliable. Mixter ---------------------- members.xoom.com/i0wnu ----------------------
Current thread:
- ADM Worm. Worm for Linux x86 found in wild. Ben Cantrick (Mar 25)
- Re: ADM Worm. Worm for Linux x86 found in wild. Jim Paris (Mar 25)
- Re: ADM Worm. Worm for Linux x86 found in wild. Mixter (Mar 26)
- Malicious code detection and full disclosure Nate Lawson (Mar 27)
- Re: Malicious code detection and full disclosure Nick FitzGerald (Mar 29)
- Re: Malicious code detection and full disclosure Alan Cox (Mar 29)
- Re: Malicious code detection and full disclosure Nick FitzGerald (Mar 29)
- <Possible follow-ups>
- Re: ADM Worm. Worm for Linux x86 found in wild. Dep. de Teleinformática (Mar 26)
- Re: ADM Worm. Worm for Linux x86 found in wild. Dep. de Teleinformática (Mar 26)