LinuxSA Mailing list archives

  From: Pete <gossner@arcom.com.au>
  To  : salug <linuxsa@linuxsa.org.au>
  Date: Thu, 17 May 2001 21:51:28 +0930

Now if only somebody would do this for Windoze.
Except it would involve deleting your hard drive.....rebooting 4 times and hopefully installing Debian.

  Cheese worm: A Linux fixer-upper? 
    By Robert Lemos
    Special to CNET News.com 
    May 16, 2001, 12:30 p.m. PT 

    A white knight or bad code?

    System administrators worldwide reported signs Wednesday that another self-spreading program--or
    worm--had started to infect Linux systems. 

    This worm appears to be different, however: Dubbed the Cheese worm, the program is basically a
    self-spreading patch. It enters servers that have already have been compromised by a previous bit of
    malicious code--the 3-month-old 1i0n worm--and closes the back door behind it, adding security to
    the system. 

    "In some cases, yes, it will
    remove the back door," said
    Kevin Houle, leader of the
    artifact analysis team at the
    Computer Emergency
    Response Team (CERT)
    Coordination Center at
    Carnegie Mellon University.
    "Yet many Linux systems use
    different (Internet) files. The
    worm's commands will fail on
    those types of systems." 

    However, for many computers
    compromised by the 1i0n worm,
    the Cheese worm will fix the
    problem and then use the
    server to scan for other
    vulnerable computers
    connected to the Internet. 

    That doesn't mean that such a "patch worm" is good, Houle said. "The idea of a patch worm is a nice
    thought, but it is not a solution," he said. "Essentially, it's doing the same thing that any intruder does,
    which is to modify a system in an unauthorized way and use it to attack other sites." 

    Although Houle did not know how widely the worm has spread, he believed it's moving quickly. 

    Over the last few months, Linux worms have spread across the Internet, infecting systems with
    unpatched security holes. 

    In January, the Ramen worm compromised servers and defaced Web pages. In March, the 1i0n
    worm squirmed onto the Internet from China, and reported information necessary to locate hacked
    machines to an e-mail address in China. 

    Later two more worms, known as the Adore worm and the Sadmind/IIS worm, caused similar
    problems. 

    Such worms work by exploiting vulnerabilities in applications that run on Linux such as file-transfer
    applications, Internet printing programs, and remote administration tools. 

    Linux systems can have a large number of such applications that wait for data coming from the
    Internet. Such programs--also known as services--listen to data addressed to particular addresses or
    "ports" on the server, many of which have been standardized by the Internet community. Web
    browsers wait for data on port 80 and 8080, for example. 

    A back door installed by the 1i0n worm waits for data on port 10008. The Cheese worm takes
    advantage of the back door and infects the system. After closing the door behind it, it scans for other
    systems with port 10008 "open." 

    The Cheese worm's search for vulnerable machines has attracted the attention of several security
    administrators. In postings to the Incidents mailing list run by SecurityFocus.com, several people
    reported encounters with the worm or the results of its widespread scanning. 

    "My (firewall logs) went insane last night with gazillions of connection attempts to port 10008," said
    one person posting to the list. 

    In a file that the Cheese worm leaves on infected servers and which was subsequently posted to the
    Incidents list, the author wrote: 

    # removes rootshells running from /etc/inetd.conf 
    # after a l10n infection... (to stop pesky haqz0rs 
    # messing up your box even worse than it is already) 
    # This code was not written with malicious intent. 
    # Infact, it was written to try and do some good. 

    But Roger Thompson, technical director of malicious code research for security services firm
    TruSecure, stressed such programs are generally a bad idea. 

    "I would rather not have anything that comes in uninvited and messes with my computers," he said. 

--
MMM-MM!!  So THIS is BIO-NEBULATION! 
Peter Gossner
Woodside, South Australia.
<gossner@arcom.com.au> <petergozz@users.sourceforge.net>



-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject