| Description:
|
Details
Worm.Sadmind
Text written by Costin Raiu, Kaspersky Labs, Romania
This is an Internet-worm that replicates between Sun Sparc computers running the Solaris/SunOS operating system, and attacks Microsoft IIS v4 and 5 Web servers. Cracked Micrsoft IIS servers will have their start page replaced with one that appears as the following:
The worm was apparently written by someone with strong pro-Chinese views: "PoizonBOx" is a group of hackers that attacks and defaces US Web sites over the Internet.
Technical details
To replicate, the worm makes use of an old vulnerability in the "/usr/sbin/sadmind" system administration daemon. Sun Microsystems issued an alert regarding this vulnerability about 2 years ago, for details check:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba
The worm will generate random IP address classes of the form "a.b", and check all the possible remaining combinations, eg: a.b.0.1, a.b.0.2, all, a.b.253.1, a.b.253.2, ..., a.b.254.254, a.b.254.255. Each address will be tested for a running "portmap" service, which is listening on port 111.
Whenever such a system is found, the worm will check whether it's also running the "sadmind" remote administration service, and if so, it will attempt to hack it. If the hack is successful, the worm will install a root shell on port 600 of the remote machine, create a ".rhosts" file in root's directory containing "+ +" - basically nullifying the authentication via rlogin/rsh/etc. with that machine - copy itself to the target system in the "/dev/cuc" directory, modify the start-up files so the worm will be launched each time the system is started, and will also run the worm code itself.
The worm code on the hacked machine will create a directory named "/dev/cub" that will be used to store the worm logs and inter-process communication files, download a copy of Perl 5.005 from a Chinese FTP site ("bak-px.online.sh.cn"), install it - as the worm itself contains a couple of parts written in Perl - then it will attempt to further propagate the infection, and hack random IIS servers over the Internet. The IIS-hacking routine exploits are described in the Microsoft Security Bulletin 01-023, as you can read at:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp
Using this bug, the worm will overwrite the index page of the server with one containing the messages aforementioned. (see the picture).
After infecting 2000 MS IIS servers, the worm will also replace all local "index.html" files from the Solaris system with one that appears the same as those infiltrated in the IIS servers.
Worm.SadMind.b
Version "Worm.SadMind.b" of the worm is functionally identical to the .A version, except for a couple of executable utilities that seem to have been recompiled.
Worm.SadMind.c
Version "Worm.SadMind.c" of the worm differs from the other versions by the fact that the file "index.html" that is used to overwrite local "index.html" files on Solaris systems after cracking 2000 IIS servers was changed. Hacked IIS servers will appear the same way as those hacked by version .A and .B. |
