ALERT [ADORE] worm squirms in Linux systems -=- AKA: [RED WORM]

[Bruce F Lucca]

--=====================_986443420==_
Content-Type: text/plain; charset="us-ascii"

<EXCERPT> 
[While patches have existed for all the vulnerabilities for at least a few
months, most system administrators have *NOT* patched their systems, said
Matt Fearnow, incident handler for the SANS Global Incident Analysis Center.]
</EXCERPT>
|=====Wednesday, April 04, 2001 - 15:38:20=====|

ALERT [ADORE] worm squirms in Linux systems -=- AKA: [RED WORM}
<http://news.cnet.com/news/0-1003-200-5506966.html?tag=lh>

By Robert Lemos
Special to CNET News.com
April 4, 2001, 10:55 a.m. PT

The third Linux worm in less than three months hit the Internet this week.

Known as the [ADORE] worm, the program is designed to create so-called back
doors in the security of Linux systems and send information identifying the
compromised systems to four different e-mail addresses hosted on servers in
China and the United States.

"It seems to be a variant of the Ramen worm," said David Dittrich, security
administrator for the University of Washington and an expert on digital
forensics and hacking tools.

The Ramen worm, <http://news.cnet.com/news/0-1003-200-4508359.html> which
used three well-known security flaws to infect systems using the Red Hat
distribution of Linux, hit in mid-January and infected an unknown number of
computers.

The vulnerabilities exploited by Ramen occur in three programs shipped with
most Linux distributions and installed by default.

The 1i0n worm, <http://news.cnet.com/news/0-1003-200-5234726.html>
discovered last month by the Systems Administration Networking and Security
Institute (SANS), used a fourth flaw to spread among servers that had
domain name service, or DNS, software installed.

Finding flaws
The Adore worm -=- also known as the Red worm -=- uses all four flaws to
automatically break into vulnerable systems.

While patches have existed for all the vulnerabilities for at least a few
months, most system administrators have *NOT* patched their systems, said
Matt Fearnow, incident handler for the SANS Global Incident Analysis Center.

"Three out of four of these exploits were patched back in August," he said.
"We can only get after the system administrators to keep their systems
patched."

Once in a system, the Adore worm replaces an application known as PS -=-
used by administrators to list the currently running programs on a system
-=- with a copy that will list all programs except the worm.

Then it will send a copy of several key system files to four e-mail
addresses: two in the United States and two in China. Each e-mail uses the
username adore9000 or adore9001, hence the worm's name.

SANS has released a program called "[adorefind]"
<http://www.sans.org/y2k/adore.htm>
that can detect whether a system has been compromised by the worm.
(Please see appended note, and
attached [[adorefind]-0.2.0.tar.gz] 4k file from:
<http://www.sans.org/y2k/[adorefind]-0.2.0.tar.gz>.

The worm appears to be spreading somewhat quickly and hammering a variety
of servers with scans aimed at uncovering telltale signs of the vulnerable
programs.

On the Bugtraq list <http://www.securityfocus.com> moderated by
SecurityFocus.com, several administrators raised concerns about aggressive
scanning of their systems.

"Numerous people are reporting heavy scanning ...from a lot of different
hosts," wrote one administrator.

Another person discovered the worm in one of his Red Hat Linux machines.
"One of these (scans) succeeded in breaking into an unpatched Red Hat 6.2
box," he wrote.

Hidden back door
The online vandals who released the worm appear to be using it as a way to
compromise a large number of systems.

In addition to its other activities, the worm replaces a basic Internet
service, known as ICMP (Internet Control Message Protocol), with an almost
identical version. The new version of the program opens up a back door -=-
bypassing security -=- whenever it receives the proper command sequence
from the Internet.

ICMP is typically used to send error information from machine to machine
across the Internet.

After infecting a machine and sending information about the computer
through e-mail, the worm waits until 4:02 a.m. and then deletes all its
files, except the backdoor.
|========================================|


----------
Adore Worm
Version 0.3 - April 4, 2001
William Stearns has written a script [adorefind] to detect the Adore worm
(see "Removal", below, for instructions). 
<http://www.sans.org/y2k/[adorefind]-0.2.0.tar.gz>


Questions concerning this page or the [adorefind] tool should be directed to
<intrusion at sans.org>.

This note is a preliminary characterization of the Adore worm. The worm
code can be modified by anyone at any time. 

We'll try to keep this page 
<http://www.sans.org/y2k/adore.htm> 
updated as we learn more.

Description

Adore is a worm that we originally called the [Red Worm]. It is similar to
the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to
determine whether they are vulnerable to any of the following well-known
exploits: 

[LPRng] 
[rpc-statd]
[wu-ftpd]
[BIND]. 

[LPRng] is installed by default on Red Hat 7.0 systems. From the reports so
far, Adore appears to have started its spread on April 1.

Adore worm replaces only one system binary [ps], with a "Trojaned" version
and moves the original to [/usr/bin/adore]. 

It installs the files in [/usr/lib/lib]. It then sends an e-mail to the
following addresses:

<adore9000 at 21cn.com>, 
<adore9000 at sina.com> 
<adore9001 at 21cn.com>
<adore9001 at sina.com>

Attempts have been made to get these addresses taken off-line, but no
response so far from the provider. It attempts to send the following
information:

/etc/ftpusers
ifconfig
ps -aux (using the original binary in /usr/bin/adore)
/root/.bash_history
/etc/hosts
/etc/shadow

Adore then runs a package called [icmp]. With the options provided with the
tarball, it by default sets the port to listen too, and the packet length
to watch for. 

When it sees this information it then sets a rootshell to allow
connections. It also sets up a cronjob in cron daily (which runs at 04:02
am local time) to run and remove all traces of its existence and then
reboots your system. However, it does not remove the backdoor.

Detection

We have developed a utility called [adorefind] that will detect the adore
files on an infected system. Simply download it, uncompress it, and run
[adorefind]. It will list which of the suspect files is on the system.

Download [adorefind] 
<http://www.sans.org/y2k/adorefind-0.2.0.tar.gz>
or
<http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind-0.2.0.tar
.gz>
 
Once you've downloaded it, go to the directory that contains the tar file
and run the following commands:

tar -xzvf [adorefind]-0.2.0.tar.gz
cd [adorefind]-0.2.0
./[adorefind]

For reference, the md5 checksums for the tar itself, the executable
"[adorefind]" script and the detectlib library should match the following:

f760ccae518c96b30488a7566d389f82  [adorefind]
b8b76bc3ff4719818b7aaefcf00a5dcf  detectlib
2734de0b439d2701afbdcfc85ba4dedf  [adorefind]-0.2.0.tar.gz

Snort already detects most of these signatures:

Removal

As [adorefind] runs, it will give you the option to stop the running worm
jobs and remove the files from the file system.

Protection

You can take the document that Chris Brenton created for the Lion worm, and
modify it to look for the [Adore] worm. You can read it here: 
<http://www.sans.org/y2k/lion_protection.htm>

You should also block for outbound e-mails to the 4 e-mail addresses:

<adore9000 at 21cn.com>, 
<adore9000 at sina.com> 
<adore9001 at 21cn.com>
<adore9001 at sina.com>


References

Further information can be found at:

[SANS] -=- System Administration, Networking and Security Institute
<http://www.sans.org/current.htm>
<http://www.sans.org/aboutsans.htm>

CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND
<http://www.cert.org/advisories/CA-2001-02.html>

ISC BIND 8 contains buffer overflow in transaction signature (TSIG)
handling code:
<http://www.kb.cert.org/vuls/id/196945> 

Information about the Ramen worm:
<http://www.sans.org/y2k/ramen.htm> 

DDoS handling steps
<http://www.sans.org/y2k/DDoS.htm>

Web site for the creators of BIND
<http://www.isc.org/products/BIND/bind-security.html>

The following vendor update pages may help you in fixing the original BIND
vulnerability:

 -=- Vendor -=- Description -=- URL -=-

Redhat Linux
RHSA-2001:007-03 -
BIND remote exploit
<http://www.redhat.com/support/errata/RHSA-2001-007.htm>

RHSA-2000-065-06 -
LPRng exploit
<http://www.redhat.com/support/errata/RHSA-2000-065-06.html>

RHSA-2000-039-02 -
wuftpd remote exploit
<http://www.redhat.com/support/errata/RHSA-2000-039-02.html>

RHSA-2000-039-02 -
Rpc statd exploit
<http://www.redhat.com/support/errata/RHSA-2000-043-03.html>

Debian
GNU/Linux
DSA-026-1 BIND
<http://www.debian.org/security/2001/dsa-026>

SuSE Linux
SuSE-SA:2001:03 -
BIND 8 remote root
compromise.
<http://www.suse.com/de/support/security/2001_003_bind8_txt.txt>

Caldera Linux
CSSA-2001-008.0 BIND buffer overflow
<http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt> 
<http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt>


Slackware
(linuxsecurity.com advisory) 1/30/2001: Slackware: 'bind' vulnerabilities
<http://www.linuxsecurity.com/advisories/slackware_advisory-1121.html>


Mandrake
MDKSA-2001:017 BIND vulnerabilities
<http://www.linuxmandrake.com/en/security/20 01/MDKSA-2001-017.php3?dis=7.2>


TurboLinux
TLSA2001004-1 BIND vulnerabilities
<http://www.turbolinux.com/pipermail/tl-security-announce/2001-February/0000
34.html>


Immunix 6.2 and 7.0-beta IMNX-2001-70-001-01 BIND vulnerabilities
<http://download.immunix.org/ImmunixOS/7.0-beta/updates/IMNX-2001-70-001-01>


Conectiva
CLSA-2001:377 BIND vulnerabilities
<http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000377>


Storm Linux: (see Debian)
<http://www.debian.org/security/2001/dsa-026>
    |========================================|

Frequently Asked Questions - FAQ's

I'm running Unix-like Operating System X on Processor Y. Am I vulnerable to
[Adore]?

The only class of systems currently attacked by the sole known lion variant
are Linux systems running on the x86 processor architecture. That said, the
design allows for future variants to be released that attack some other
Unix lookalike or some other processor type. At the very least, you should
run [adorefind] to do a quick check. Also, no matter what your flavor of
Unix or CPU type, you should be applying your vendor's patches!


I'm running some version of Windows. Am I vulnerable?

Almost certainly not. If that changes with some new worm release, we'll
update this page with new information.


Credits

This security advisory was prepared by Matt Fearnow of the SANS Institute
and William Stearns of them Dartmouth Institute for Security Technology
Studies.

The Lionfind utility was written by William Stearns <wstearns at pobox.com>.

William is an Open-Source developer, enthusiast and advocate from Vermont,
USA. 

His day job at the 
Institute for Security Technology Studies at Dartmouth College 
<http://www.ists.dartmouth.edu/>
pays him to work on network security and Linux projects.

Also contributing efforts go to SANS GIAC contributors, Todd Clark from
Copper Media, Greg Shipley of Neohapsis, Marion Bates of ISTS, and Alex
Bates of ISTS.


Mirrors

This advisory page can be found at 
[SANS] Global Incident Analysis Center
<http://www.sans.org/y2k/adore.htm> 
and
<http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/[adorefind].htm>.


===================================


Log of Updates to THIS article:
<http://www.sans.org/y2k/adore.htm>

v. 0.3 - 4/04/01
Addition of URLS and [adorefind]

v. 0.2 - 4/03/01
Minor corrections

v. 0.1 - 4/03/01
Document created
|=======[lucca]=====<-30->======[lucca]=====|
--=====================_986443420==_
Content-Type: application/octet-stream; name="adorefind-0.2.0.tar.gz";
 x-mac-type="477A6970"; x-mac-creator="477A6970"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="adorefind-0.2.0.tar.gz"

H4sIAG+myjoAA+1ae3PbNhLPv+Sn2EieuvHZ1MNJPZee0/pq5+o5V/ZESlvP+aZDkZDEmiJYArSs
1v3utwuAL5lUkk56nU65M7ZELLAA9vHDYinX5wmbBZF/0HeGTr/35Hegfv95/+joBX4q2vzU34+G
nw1fDA/7z4+e9AfDwYujJ/Di91jMJqVCugnAk4Rzua3fu/h/UnI37J8/f8Q5+oN+/+hFo/0/Gx6+
MPYfHD4/JPs/7z8/fAL9j7iGRvqL27/7tDcNot7UFQubeQsOJ+QAsOLJEnwmmSdBeEkQS5jxBC6C
KL13dMeveLxOgvlCwrDfH8B3QRgG7hLGkrlJJODmHyuhv34Z8ym/dzy+vHmlh75hIXMF8yGNfJaA
XDD419WFkfstS0TAI1D+qJtOuZcuWSRdSQx3ylOJgwKhl+lGKCj2XYkC7/RgAXyme+jFazGeG8GU
4UZwWnAlLKSMX/Z6q9XKEW4kHJ7Me+vhrY4BZyG1aD221DcQUji+m8glrmPhMD/tnb85P+ndRnwV
Mn/OfkBtsp7kPBRFPJE82w5m8BQco9kwmMLntPvItrRK3SjiqGnsXuoSREpDXpokqAPwgwQZPFnv
A7sPZBDNcTR+gaE9C+zzKJCnauhFMLXtEyld73bkLlnZsLkpaT26yzducoum6KUi6eGkvYT5DgVG
3kB/1ScKHOmIRdF6G/K57/B8U29YHLoe818HIQPlZ7GwLEv1pyelnM1ugjhKkulZkrzZl0mv5yU8
QnME4brXdyOXHq3KOrPWg6l7a9vWlSsXE/4mjSJU3Ukco6vaFlS35kzJBDXtuGfp39dwGgYscV2k
onrOsJ6VK7aWVT9/GNdNj61HW+Y4COMkmjdy1WSN3FU6/KyR2aCOWGAMbmfOZO1ONLNpvZrbqJxV
SlJrl7tKaWgNY4FB0bBFYtXrm2Q5cVjrUaFrmgsHt7v/pg9YumsCppDNMZ6XCGT7MEWIW7HdMISE
KZUqDBBrgQNAsOQu8BghgwtLDGTJEKrWK3ctHLvrIbQRcN27yVwUsmcSEu30RnogF4Bws8AWkBxm
DPFTcgdDREMChVgWHHIZ95w44dOQLctN+G9jsxlw1KkAhfqc1/M+NOCyqH7/WKTmCJHQIRXWsxt8
Yc5ksLlP1c5rG4cf5DNbHC3wHqk3a3a8jwACyGnY8W/CLTVI3ss61rpWgbXgG4vazf1B2JFgKE3r
2plIQ0wE6p2pGQh0MH8gbv6+aP2BR41mNG1cMRu8apU2jKLVNbIoQBqZW4BdsxqX0sBA+BultzrB
ENC7c5HF58q3aQ1FAxPCnVMXn931HDVUZ3FXKrklaGUI2q5G7rxXOX/D7AvzNkzeBOWuBNthuG+k
8Chcg8cx6Q0iAmaUcUHZLyVwDmBKHN3sSnpK1ojaHJapt9CpsRFA5wZPCNxxjlnCl0D4m8aOoyDe
95mPOaBJolBXKZ4qAvBLM9ONeLTGrFeggLE+g8RY8jjGBUYzPJq8WyAM0seUSUt3JknKrK5OP1Xu
jYl+KFjGfu3iQ8ZX6a/ug8nsH305+gvQ5v0/v3Z8xDm23/8Hw+eDw6L+Mxiq+/9hv73//z+ofP/v
Vq/0+4/u9DVX+ld2t+k2b+f3ULzSH3f6w37HtlW0Hw8sDHgEG9S8K4AmB7yrI9p5LEG0c2zCjOO+
bXcNmOL/OwYjTFF/eCuDEMewGeEFTUZAtw+x6ojIOKFrP2ZsKA/hVOGq3aV+U0yvVf5LxQHmIlzO
0shTJQUF0xFKR4wj9JKY5dL93bFLU376DH6xLbo7X0aMmij/3tnD266PF1NLXe3lOmZwEOMVE3ay
Xq8U9kcp5vLD0vfskmxpuP4mEILWJtI45pTu4/Rw08mk3HRoNiUYG69OJl/fdPKxZ7oO4KiGAlTx
EUHU8nnE7F9t22fTdG528dK2umro7t+Q4FPFm6vDIsIdLlWl5dkubU8vWUi0bUJiugcfi+wuWv/2
epTbYR9tKVPyNIn2B9T0jPYBPotZ5CvLRUBHEa4yTqXzMdeiV0Lasbrjt6eX4C2Yh3mAbU3OxpPr
0XEH9b1aUNnhP9DZ0Y0deHoMu9e78F/45JNH7SNqN96hlH0Qwe4Xu1WNWlbCXB/0OHh4ADSN5ZHP
G1m4V2yZ7D3IvYfrvYf13jMrWxLObH3+OXJf7z3M9h5Gew9RmTsyXCZcz7iBTW5aXqdZfu6M2gDQ
hy6FIJ7R2o9M8wC6xrPQsX6F7hlmqxhMSnc2UXdEicdPKeY4iAcqbDAjEYHPqJ8K9GkahOitolyb
Uk7ZvXITdylewgkaXNftAgx6urKpilVe8XPMLlCdnZ29Tmn1JOxypgUfEy/fgHb+EQWeq9haLsZU
sQxHb+u37MKUz6r7wNAlH16qxEelk/iUpX8BPq4WHO0cI4AxRD74lFQZrXXtki33VTaEGJY1PAO7
i1kni2SArWuYpzhRJBlKInwz+0Il8SirFiCQYZSgN48uJ3AyHr/95gxORtdw9v3k7M3o5ALeTs4v
zifX8NXJCP55BpM3b8eTs1M4mcDk6/MxXF2ejyZOVhG4UiuVxxm8aCv8jFYoK75skHepXetNKz6D
VlXa24RWnIcpSFXcYgIzw2tV08341L6xYu3NBR5mcVDpRuHQUV3Le1ChW9mhKc7SQZX5V02n08uz
sdK7iwkynnSSUyFGW1tqG1GBWhlpH+ac+0YPJtiqayO//DDPLB1dydIu13SUm9rWJZ71F3j3ON7Z
sy2lQcVWSKceT4Ok9DSOmYeOJypIqGJwoNRVMpWfN2ZmKsnbyb8DdiLm5fRHVKdQ7bmpWKhlzSqy
sHcuzqx2p3h4L4FTI5DAFh+96mNcfRzX76TQxU7l+R0LUK5imaM+W3750YwnL7DEIpjJTdwuC97i
rqcc1jyFVYAOgX7nY4omdbY043iPXdFZqiDpZe67ZS1W9pT1oJpiCb1eflEdSgbNWs5nIPg+oNsi
KN50rjF7oXKjfm/D4KcU78bC0e6iD95CvwW0FyuqLqhiDitZko9sXb7W56ZkWvBjUUlQ3Y8em5lO
7Y5iOmFLfqcqp4S8U44HVaiv8RrpN5TlZEbNYrtyumqpPGIG6TeNtCkNVixhOQgVJswCujRP6bi2
y4iwvLMrr1KqJ9c4FTG9+iOECeRagTZeBxbMpNwEVpiux2tYYf6OmsB9o3YTIzE/oCl2h4+cExPY
IXqEuufvo6PgdtALRIoHA7IGlOpSHi4T/qMbZa/0SAeZgFVg6uLZFQC1gsmrG2adnQyJnm7iR3Fk
mKl8jvqkg1aVYejc+S4hwPZJT7nZ1LTf8TT0VVyFwS2juMrWsDPQFZadX4a/1nv18i7XRkfHeI1L
ZQWbXNwQshUYAxaVqarBdBuCMt5qqOK/oOvSlLFIOyq5JQkssgJKRTDJjjz12hS30ofpWgdlQ26l
1jmpcc73nS+TkU+Ll7VrVKZYKL3ikaV8jjIdWpBgjHwKH9fqaqbPz0yI0bxfqWzlgbBXl/fRakNj
40KRNbFxi+6FCZb9+E1hVekzkqquZLg0l/jqHmneuJiXLXTBjanka0Jbp0F2k0fR3Crny4bHCfco
6RPUkmvVjC9Mwe6Zl0p3ijv6Arbhb469uaYee6tJxHDL1TzMMpqBg7+rXAs7bLb+opu73b0eRYLO
tSowtxU8UYth4Knbp8jT8aIcuaF/Aq4Nn1/gXcpFadjZpWH7+rsyDGGVasRMO6FyK5UMMPAjns4X
6h6DK5uz+5gMgVdgb/EMk+fX599j0nwAqyRAP840T4Hgcd+gALl8Nq0ykasXF2hocUseEAgjQb2J
D4Np4iZrWDPpVMvHRihpyOBlId1A15T2TKVS1NFmObaqKcJv9ZuI8Vp8G0RB9qOOkscWIZa9cVQ4
blxhXLxxLNyhwYUxMGN1YulXHdnLSl3LMIJuOnn28D6+2pwnzHSJOvEcv0cbw4/SNJXTfWtHWvT7
9MIdKdAOK9O/z8zvnHT7fPqwyH8nQsV/9TsRBbH6FzrKliRTFOrXV0NjA6cQkXuZNhJ6RO5NW3Ie
1bk2cEszlGtO3XLKcYspjN29oJgrKj66blf93YopUpkTvLOTM6gX5nTBz6w2+cXJu4JJoPLYsfo9
TkSZCrXXicgSc40y7duGllpqqaWWWmqppZZaaqmlllpqqaWWWmqppZZaaqmlllpqqaWWWmqppZZa
aqmllv489D82F+vGAFAAAA==
--=====================_986443420==_--