Linux Worms - some ideas by SnakeByte [Matrix] ( SnakeByte@kryptocrew.de ) In these days ramen shocked the red hat users, because they suddenly realized that worms can also spread with unix/linux, a facts everyone seems to have forgotten since the morrison worm rocked 1988 through the arpanet. And while I am writing this, another worm called li0n goes through the world, all newer worms are just lame versions of what will come, these worms are all in all a collection of badly written shell script and some C ELF Binaries, to my mind there is much more possible than this. Nowadays, every Linux/Unix user tells a virus writer, that viruses and worms are just a problem with windows, because the unix system has stronger permissions for files and similar things. I want to discuss here some ideas how a worm could spread in Linux environment. Some of them have already been implemented, some not. 0. Autostarting : Many different possibilities like /etc/rcS.d.. and the other directorys with startup scripts , a simple cron job ( echo 20 * *** /bin/bash worm >> /etc/crontab/root ), or awk, adding a line to some already autostarted shell and perl scripts, insert a line into a source to start the worm and recompile the program, infecting a daemon, doing a compangnion infection on some often used files ( create a new ls shellscript, set it executable, and make it call the old ls and make it start the work ) or even use a loadable kernel module, to get started =) You see we have as many possibilities as in windows environment, but they have been rarely used since now =) 1. Selfmailing : Yeah, seems funky, but with Linux spreading to more and more desktop pcs, and being used by more and more less experienced users, there might be a chance that Linux mailing worms will have a chance to spread. The tools that are neccesairy for such an operation get installed with nearly every linux distribution. A mail program, like sendmail is installed on nearly every server and i think it is also installed to deliver root some important messages on normal servers. The old messages are all stored in a single file for each user and with a simple grep can we get the mail addresses we want to ( grep From: /var/mail/root ) We can also search for some often used mail clients and newsreaders to use them for spreading.. heh, everything is well documented =) 2. Infecting : When a worm infects file, it can spread much further on such a system. There are very often some remote disks mounted, so you can travel very fast to another system, by simply starting traveling through the directorys by starting at the root directory. I think Silvio Cesare has some nice example son ELF infection on his page ( http://www.big.net.au/~silvio/ ) and if you really need examples how to change perl or shell scripts for your needs take a look at mine. 3. Buffer Overflows, Heap Overflows, Format String Vulnerabilities : There are lots of vulnerabilities on a Linux / Unix System and several can be exploitet with a program. One example which was used by ramen & lion have been buffer overflows, in my opinion they made this in a really bad way. They had an ELF executable for every exploit, this is a waste of bytes. What about doing it variable, there are some commands which needs to be exchanged, then there is the shell code. If you store these commands in an File, one for each exploit, the shell codes for the different systems in another, you could use just one ELF Binary for every Exploit, and you can easily exchange / update the exploits during development. With such a worm, you can also intrude several different Linux Versions, because you have the shell code exchangeable, all you need is to spread the source of theELF, not the binary and recompile it everywhere. With the Exploits in an extra file, chose a strange ending for it, you can search the current direcory for all exploit files, and then use them one by one ( when doing this, you should also include the port number and banner for the buggy daemon ). This will also make it possible to update newer exploits to the worm, via a newsgroup like Vecnas Hybris did. The worm can be transferred in several ways. The worst one is too have it at a fixed url and use the shell after the exploiting to download it :P Ramen and Lion opened a port on the "attacking" system, and make the "attacked" system download it from there. When doing a uuencode on the file, or if it is printable charakters only, you can directly send it through the shell ( echo .... >> newfile.sh ). Another possible thing would to post the worm regulary into a newsgroup and make the shell script fetch it from there, so you could also update it =). 4. CGI Exploits There are several common CGI Scripts which can be exploitet and i also know of programs, that do a search on google.com for sites using these scripts and exploitingthem one by one. So this will also be something nice for a worm, it could contain several search engines, doing a search for a script, exploit it, install itself. Or grapping the passwd / shadow file, brute forcing it and the install. Or just scan some random Subnets for the cgi script you want to exploit. All in all this would be a nice feature to implement. If the CGI Exploit is in a way that you canwrite something to a file, overwrite some files with the worm code, and make them start somehow ( if they are in /cgi-bin/ I think you know how to start them *g* ) 5. Common Passwords / RLogin Of course, you rarely see such things nowadays, but why not give it a try. I think the code you need is worth it. Get a Subnet, scan for FTP, Telnet, SSH, make a connection and try some common passwords, with some luck, you got anotherhost. 6. Damage Reducing.. or better directing =) I think worms can much easier be written in a way, which will help to keep them ina special environment,.. this might be your lokal network you use for testing, or a special subnet, or country which you want to get into trouble ;) Just as an example, you want to bring some problems to the united states. Get some servers, standing at the boarders of the country like : 5__________ ... houston.com - 1 san jose / \---/ / Ok, just lets assume this digimedia.com - 2 oklahoma | /3 is the USA =) wks200.boston.com - 3 New York 1| 2 /4 www.bu.edu - 4 Worcester `\___ ______ / www.seattleu.edu - 5 seattle 6 \/ \.\ www.uophx.edu - 6 scottsdale Ok, now your worm has some entry points. You release the worm somewhere in the US. The worm gets one of the hosts at random, and does a traceroute, to get the IP's in between. Normally it will retrieve about 10 IP's this way. Use them to scan the IP Ranges. ( If you find a 153.31.12.34 --> Scan from 153.31.12.1 to 153.31.12.255 to exploit potential hosts. Maybe you could also use the Class C, but I think it will need to long to scan, so it will travel too slow ) And when having technical warfare in mind, we want to spread it fast and deadly =) 5__________ ... /oooo \---/ / | oooXooo / So, assume you started your worm in Seattle. | oooo/4 It chooses the server in Worcester, and makes `\___ ______ / a trace route ( the o ). This will give it \/ \.\ about ten class C nets it will start to scan. Ok, we found a vulnerable host X ( one of many ) on this way. From this host it will tracert any of the hosts in our list. ( even if it will get a host it came from, it will possibly take another route back ) Ok, as you might image it create kind of a net, covering the entire country. __________ ... /oooo \---/oo/ | oooXooo o / Yeah, I know you nearly see nothing now , but whatever | oo oXoo/ I spent time making this, so you _have_ to look at it =) `\___o ______ / As I mentioned before, this gets a bit into internet \/ \.\ war, so I will present here a little concept of a worm, which is designed to cause just havoc. The payload should be triggered, so that maybe all infected servers get completely deleted when the stock market opens in the morning, or some important servers got DDoS'ed at a special time. I think such a worm would have the power to keep a country for 3-4 days without internet. During scanning, another idea would be to send a KOD or another DOS attack against every windows client which is somehow in the subnet. So root everything in the way of the worm and try to kick out everything else. For example would it be possible to drop a timebomb to every IIS server, because a lot are still vulnerable to the unicode exploit. I think such a worm can be easily written and is able to damage a country's infrastructure, makes it loose tons of money so it will maybe not longer be able to make war. And the best is, this "weapon" costs nearly nothing... 7. Payload In Unix / Linux environent we also have some nice kinds of payloads, it is possible to 0wn the page, like ramen did. We can also simply change the motd, send the passwd & shadow file around, make a DDoS, display some kind of ascii effect to root, install a rootkit or backdoor, mailbomb microsoft =) I think there are also several neat things you could not really do in win environment, because Linux is mostly used on servers, so you have a bigger bandwith. You can also set some funny aliases or change one of the startup scripts to display a nice ascii pic. Whatever.. my creativity stops here ;)