[aclug-L] FW: Does the end justify the means?
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
With all that has been happening lately, I thought everyone might be interested
in reading about the lastest Linux Worm - The Cheese Worm.
LINUX SECURITY --- May 22, 2001
Published by ITworld.com -- changing the way you view IT
The Cheese Worm
By Rick Johnson
Yes, yet another Linux worm is spreading like wildfire. I decided to
only discuss unique and newsworthy worms and, as luck would have it,
the "Cheese Worm" is like no other I have seen. This one is a self-
While the Cheese Worm will not work on all Linux systems due to the
differences between distributions, for many it fixes a vulnerable back
door and then scans the Internet for other vulnerable computers. The
Cheese worm infiltrates the system through the back door installed by
the 1i0n worm, which waits for connections on port 10008. Then, it
removes all inetd services referencing /bin/sh to close the hole. If
successful, it then scans for other systems with an open port 10008 and
starts the cycle over again, regardless of whether the new system is
The worm installs itself in /tmp/.cheese and establishes it as the
working directory to execute commands. When the "go" shell script
executes, the perl script entitled "cheese" goes into action.
The "cheese" script does the following:
* Changes its process name to httpd;
* Deletes the "go" script;
* Checks for a file named ADL in the working directory. If it is
found, then cheese exits. If it is not found, then the ADL file
is created, the string ADL is written into the file, and the
timestamp is set to match the timestamp of the system's /bin/ls
* Reads /etc/inetd.conf and rewrites it, excluding any line that
contains the string /bin/sh;
* Attempts to restart inetd twice, once using /usr/bin/killall and
once using /bin/killall;
* Until the cheese process is somehow killed, it repeats a cycle of
scanning semi-random /16 (e.g., class B) network blocks for hosts
listening on TCP port 10008 using the psm program.
On hosts responding to a TCP port 10008 probe, the worm:
* Establishes a TCP connection to port 10008 of the victim host;
* Starts a listener process on a random TCP socket number from
10000 through 15000;
* The listener process will send a copy of /tmp/.cheese/cheese.uue
to anything that provides two linefeeds after connecting to it's
Someone's attempt to do some good in the current wake of Trojans and
worms spreading across the Internet unfortunately misses the point.
Accessing someone else's system, regardless of your intentions, remains
part of the problem. A better alternative would be to setup a server
farm that scans for the worm and then emails the domain's admin contact
informing them of the infection. Since port scanning is not illegal,
this would cause far less of an uproar. Of course, administrators would
freak when they see attempts to connect to their server on port 10008.
I guess there is no easy answer except maybe, I don't know, patching
About the author(s)
Rick Johnson is currently involved in a number of projects, none of
which he can discuss at this time. Aren't non-disclosure agreements
wonderful? When not involved with those, he heads the development team
for PMFirewall, an Ipchains Firewall and Masquerading Configuration
Utility for Linux. Rick can be contacted via email at rick@xxxxxxxxxxxx
or on the web at http://www.pointman.org.
What Makes Johnny (and Janey) Write Viruses?
Forget the stereotypes -- virus writers range in age and outlook, but
many share an undeveloped sense of ethics, researcher finds.
A solution to e-mail virus propagation?
New worm spreads disguised as virus warning
VBS.Hard.A@mm shows up in users' in-boxes disguised as a virus alert
from antivirus firm Symantec Corp.
Lion Internet Worm Analysis
- Go to: http://reg.itworld.com/cgi-bin/subcontent12.cgi
- Enter your email address under "Current subscriber" to log in
- Uncheck the box next to the newsletter you want to unsubscribe from
- Or check the box next to the newsletter you want to subscribe to
If you have questions, please send email to customer service at:
* For editorial comments, write Andrew Santosusso, Associate Editor,
Newsletters at: andrew_santosusso@xxxxxxxxxxx
* For advertising information, write Dan Chupka, Account Executive at:
* For recruitment advertising information, write Jamie Swartz, Eastern
Regional Sales Manager at: jamie_swartz@xxxxxxxxxxx or Paul Duthie,
Western Regional Sales Manager at: paul_duthie@xxxxxxxxxxx
* For all other inquiries, write Jodie Naze, Product Manager,
Newsletters at: jodie_naze@xxxxxxxxxxx
Copyright 2001 ITworld.com, Inc., All Rights Reserved.
-- This is the discussion@xxxxxxxxx list. To unsubscribe,
- [aclug-L] FW: Does the end justify the means?,
Dale W Hodge <=