Jan-Philip Velders
1999-Mar-29 06:29 UTC
Re: ADM Worm. Worm for Linux x86 found in wild. (fwd)
Hi, some more info on the previous admw0rm alert. Fwd'd from BugTraq Greetings, Jan-Philip Velders ---------- Forwarded message ---------- Date: Fri, 26 Mar 1999 21:17:40 +0100 From: Mixter <mixter@HOME.POPMAIL.COM> To: BUGTRAQ@NETSPACE.ORG Subject: Re: ADM Worm. Worm for Linux x86 found in wild. The "ADM w0rm" is public and can be found at: http://adm.isp.at/ADM/ADMw0rm-v1.tar The public version solely exploits the name server iquery bug, although it is fairly easy to make it exploit ANY remote vulnerability. (Put in BSD/Sun exploits and it wouldn't be too linux specific anymore. :&) Ben Cantrick (Macky Stingray) wrote:> How it picks the IP addresses to scan is not > presently known to me. Presumably, the "gimmieip" binary takes care > of that. Someone with more time can dissect it and post the results.True, it will start with a random IP number, then scan sequentially onwards, e.g. 1.1.1.1 1.1.1.2 etc. and re-start at 255.255.255.255. The infection routine works like this (shell script): ./gimmeip | ./incremental | ./scanner | ./exploit> As far as disinfection, I have not had time to work up a disinfection > procedure. It could be as simple as rebooting to single-user and deletingYes, its simple. Remove the "w0rm" user from /etc/passwd and kill its processes. The security risk is then eliminated (Remember to patch your vulnerable daemon(s), of course). Also, since this worm swallows LOTS of bandwidth by its permanent scanning, watch for "w0rm" scans that might occur on your nets. Then try to telnet to the scanning host as user "w0rm" with no password. If you succeed, simply kill -9 -1 and notify the admin. However, the worm seems to be worked on as a private version as well, and those could do other things and hide themselves elsewhere, so there is no guarantee that cleaning or identification by typical strings/files is reliable. Mixter ---------------------- members.xoom.com/i0wnu ----------------------