Complete.Org: Mailing Lists: Archives: discussion: May 2001:
[aclug-L] FW: Does the end justify the means?

[aclug-L] FW: Does the end justify the means?

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: "Aclug Discussion" <discussion@xxxxxxxxx>
Subject: [aclug-L] FW: Does the end justify the means?
From: "Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>
Date: Tue, 22 May 2001 08:43:49 -0500
Reply-to: discussion@xxxxxxxxx

With all that has been happening lately, I thought everyone might be interested
in reading about the lastest Linux Worm - The Cheese Worm.


-----Original Message-----
From: Linux_Security@xxxxxxxxxxxxxxx

LINUX SECURITY --- May 22, 2001
Published by -- changing the way you view IT
The Cheese Worm
By Rick Johnson

Yes, yet another Linux worm is spreading like wildfire. I decided to
only discuss unique and newsworthy worms and, as luck would have it,
the "Cheese Worm" is like no other I have seen. This one is a self-
propagating patch.

While the Cheese Worm will not work on all Linux systems due to the
differences between distributions, for many it fixes a vulnerable back
door and then scans the Internet for other vulnerable computers. The
Cheese worm infiltrates the system through the back door installed by
the 1i0n worm, which waits for connections on port 10008. Then, it
removes all inetd services referencing /bin/sh to close the hole. If
successful, it then scans for other systems with an open port 10008 and
starts the cycle over again, regardless of whether the new system is
actually infected.

The worm installs itself in /tmp/.cheese and establishes it as the
working directory to execute commands. When the "go" shell script
executes, the perl script entitled "cheese" goes into action.
The "cheese" script does the following:

    * Changes its process name to httpd;
    * Deletes the "go" script;
    * Checks for a file named ADL in the working directory. If it is
      found, then cheese exits. If it is not found, then the ADL file
      is created, the string ADL is written into the file, and the
      timestamp is set to match the timestamp of the system's /bin/ls
    * Reads /etc/inetd.conf and rewrites it, excluding any line that
      contains the string /bin/sh;
    * Attempts to restart inetd twice, once using /usr/bin/killall and
      once using /bin/killall;
    * Until the cheese process is somehow killed, it repeats a cycle of
      scanning semi-random /16 (e.g., class B) network blocks for hosts
      listening on TCP port 10008 using the psm program.

On hosts responding to a TCP port 10008 probe, the worm:

    * Establishes a TCP connection to port 10008 of the victim host;
    * Starts a listener process on a random TCP socket number from
      10000 through 15000;
    * The listener process will send a copy of /tmp/.cheese/cheese.uue
      to anything that provides two linefeeds after connecting to it's
      TCP socket.

Someone's attempt to do some good in the current wake of Trojans and
worms spreading across the Internet unfortunately misses the point.
Accessing someone else's system, regardless of your intentions, remains
part of the problem. A better alternative would be to setup a server
farm that scans for the worm and then emails the domain's admin contact
informing them of the infection. Since port scanning is not illegal,
this would cause far less of an uproar. Of course, administrators would
freak when they see attempts to connect to their server on port 10008.
I guess there is no easy answer except maybe, I don't know, patching
your boxes?

About the author(s)
Rick Johnson is currently involved in a number of projects, none of
which he can discuss at this time. Aren't non-disclosure agreements
wonderful? When not involved with those, he heads the development team
for PMFirewall, an Ipchains Firewall and Masquerading Configuration
Utility for Linux. Rick can be contacted via email at rick@xxxxxxxxxxxx
or on the web at


What Makes Johnny (and Janey) Write Viruses?
Forget the stereotypes -- virus writers range in age and outlook, but
many share an undeveloped sense of ethics, researcher finds.

A solution to e-mail virus propagation?

New worm spreads disguised as virus warning
VBS.Hard.A@mm shows up in users' in-boxes disguised as a virus alert
from antivirus firm Symantec Corp.

Lion Internet Worm Analysis


- Go to:
- Enter your email address under "Current subscriber" to log in
- Uncheck the box next to the newsletter you want to unsubscribe from
- Or check the box next to the newsletter you want to subscribe to
- Submit

If you have questions, please send email to customer service at:


* For editorial comments, write Andrew Santosusso, Associate Editor,
  Newsletters at: andrew_santosusso@xxxxxxxxxxx
* For advertising information, write Dan Chupka, Account Executive at:
* For recruitment advertising information, write Jamie Swartz, Eastern
  Regional Sales Manager at: jamie_swartz@xxxxxxxxxxx or Paul Duthie,
  Western Regional Sales Manager at: paul_duthie@xxxxxxxxxxx
* For all other inquiries, write Jodie Naze, Product Manager,
  Newsletters at: jodie_naze@xxxxxxxxxxx


Copyright 2001, Inc., All Rights Reserved.

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,

[Prev in Thread] Current Thread [Next in Thread]