💾 Archived View for spam.works › mirrors › textfiles › internet › unixworm.txt captured on 2023-11-14 at 10:26:44.
⬅️ Previous capture (2023-06-16)
-=-=-=-=-=-=-
From: Stoll@DOCKMASTER.ARPA Subject: Virus on the Arpanet - Milnet Date: Thu, 3 Nov 88 06:46 EST Re Arpanet "Sendmail" Virus attack November 3, 1988 Hi Gang! It's now 3:45 AM on Wednesday 3 November 1988. I'm tired, so don't believe everything that follows... Apparently, there is a massive attack on Unix systems going on right now. I have spoken to systems managers at several computers, on both the east & west coast, and I suspect this may be a system wide problem. Symptom: hundreds or thousands of jobs start running on a Unix system bringing response to zero. Systems attacked: Unix systems, 4.3BSD unix & variants (eg: SUNs) any sendmail compiled with debug has this problem. See below. This virus is spreading very quickly over the Milnet. Within the past 4 hours, I have evidence that it has hit >10 sites across the country, both Arpanet and Milnet sites. I suspect that well over 50 sites have been hit. Most of these are "major" sites and gateways. Method: Apparently, someone has written a program that uses a hole in SMTP Sendmail utility. This utility can send a message into another program. Step 1: from a distant Milnet host, a message is sent to Sendmail to fire up SED, (SED is an editor) This is possible in certain versions of sendmail (see below). 2: A 99 line C program is sent to SED through Sendmail. 3: The distant computer sends a command to compile this C program. 4: Several object files are copied into the Unix computer. There are 3 files: one targeted to Sun one targeted to SUN-3 one targeted to vax (ultrix probably, not vms) 5: The C program accepts as address other Milnet sites 6: Apparently, program scans for other Milnet/arpanet addresses and repeats this process. The bug in Sendmail: When the Unix 4.3 BSD version of Sendmail is compiled with the Debug option, there's a hole in it. Most Unix systems (BSD 4.3 and Suns) apparently do not have this bug. It exists only where the system manager recompiled Sendmail and enabled debugging. This is bad news. Cliff Stoll dockmaster.arpa ---------------------------------------------------------------------- From: Gene Spafford <spaf@purdue.edu> Subject: More on the virus Date: Thu, 03 Nov 88 09:52:18 EST All of our Vaxen and some of our Suns here were infected with the virus. The virus forks repeated copies of itself as it tries to spread itself, and the load averages on the infected machines skyrocketed. In fact, it got to the point that some of the machines ran out of swap space and kernel table entries, preventing login to even see what was going on! The virus seems to consist of two parts. I managed to grab the source code for one part, but not the main component (the virus cleans up after itself so as not to leave evidence). The way that it works is as follows: 1) Virus running on an infected machine opens a TCP connection to a victim machine's sendmail, invokes debug mode, and gets a shell. 2) The shell creates a file in /tmp named $,l1.c (where the $ gets replaced by the current process id) and copies code for a "listener" or "helper" program. This is just a few dozen lines long and fairly generic code. The shell compiles this helper using the "cc" command local to the system. 3) The helper is invoked with arguments pointing back at the infecting virus (giving hostid/socket/passwords as arguments). 4) The helper then connects to the "server" and copies a number of files (presumably to /tmp). After the files are copied, it exec's a shell with standard input coming from the infecting virus program on the other end of the socket. From here, I speculate on what happens since I can't find the source to this part lying around on our machines: 5) The newly exec'd shell attempts to compile itself from the files copied over to the target machine. I'm not sure what else the virus does, if anything -- it may also be attempting to add a bogus passwd file entry or do something to the file system. The helper program has an array of 20 filenames for the "helper" to copy over, so there is room to spare. There are two versions copied -- a version for Vax BSD and a version for SunOS; the appropriate one is compiled. 6) The new virus is dispatched. This virus opens all the virus source files, then unlinks the files so they can't be found (since it has them open, however, it can still access the contents). Next, the virus steps through the hosts file (on the Sun, it uses YP to step through the distributed hosts file) trying to connect to other machines' sendmail. If a connection succeeds, it forks a child process to infect it, while the parent continues to attempt infection of other machines. 7) The child requests and initializes a new socket, then builds and invokes a listener with the new socket number and hostid as arguments (#1, above). The heavy load we see is the result of multiple viruses coming in from multiple sites. Since local hosts files tend to have entries for other local hosts, the virus tends to infect local machines multiple times -- in some senses this is lucky since it helps prevent the spread of the virus as the local machines slow down. The virus also "cleans" up after itself. If you reboot an infected machine (or it crashes), the /tmp directory is normally cleaned up on reboot. The other incriminating files were already deleted by the virus itself. Clever, nasty, and definitely anti-social. --spaf --------------------------------------------------------------------------- From: bishop@bear.Dartmouth.EDU (Matt Bishop) Subject: More on the virus Date: Thu, 3 Nov 88 16:32:25 EST ... This program introduced itself through a bug in sendmail. At these sites, sendmail was compiled and installed with a debugging option turned on. As near as I can figure (I don't have access to the sendmail sources), by giving a specific option to the "debug" command in sendmail (there are lots of those, controlling what exactly you get information about) you can cause it to execute a command. As sendmail runs setuid to root, guess what privileges the command is executed with. Right. Apparently what the attacker did was this: he or she connected to sendmail (ie, telnet victim.machine 25), issued the appropriate debug command, and had a small C program compiled. (We have it. Big deal.) This program took as an argument a host number, and copied two programs -- one ending in q.vax.o and the other ending in .sun.o -- and tried to load and execute them. In those cases where the load and execution succeeded, the worm did two things (at least): spawn a lot of shells that did nothing but clog the process table and burn CPU cycles; look in two places -- the password file and the internet services file -- for other sites it could connect to (this is hearsay, but I don't doubt it for a minute.) It used both individual .rhost files (which it found using the password file), and any other remote hosts it could locate which it had a chance of connecting to. It may have done more; one of our machines had a changed superuser password, but because of other factors we're not sure this worm did it. This last part is still sketchy; I have the relevant sun.o file and will take it apart to see just what it was supposed to do. As of now, it appears there was no serious damage (just wasted CPU cycles and system administrator time). Two obvious points: 1. Whoever did this picked only on suns and vaxen. One site with a lot of IRISes and two Crays (ie, NASA Ames) got bit on their Suns and Vaxen, but the attempt to get the other machines didn't work. 2. This shows the sorry state of software and security in the UNIX world. People should NEVER put a program with debugging hooks in it, especially when the hook is (or can be made) to execute an arbitrary command. But that is how the sendmail which was used was distributed! One more interesting point: initially, I thought an application of the "principle of least privilege" would have prevented this penetration. But the attacker used a world-writeable directory to squirrel the relevant programs in, so -- in effect -- everything could have been done by any user on the system! (Except the superuser password change, of course -- if this worm did in fact do it.) I think the only way to prevent such an attack would have been to turn off the deug option on sendmail; then the penetration would fail. It goes to show that if the computer is not secure (and like you, I don't believe there ever will be such a beastie), there is simply no way to prevent a virus (or, in this case, a worm) from getting into that system. I know this is somewhat sketchy, flabby, and fuzzy, but it's all I know so far. I'll keep you posted on developments ... Matt ------------------------------------------------------------------------ From: bostic@okeeffe.Berkeley.EDU (Keith Bostic) Subject: Virus (READ THIS IMMEDIATELY) Date: 3 Nov 88 10:58:55 GMT Subject: Fixes for the virus Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD Description: There's a virus running around; the salient facts. A bug in sendmail has been used to introduce a virus into a lot of Internet UNIX systems. It has not been observed to damage the host system, however, it's incredibly virulent, attempting to introduce itself to every system it can find. It appears to use rsh, broken passwords, and sendmail to introduce itself into the target systems. It affects only VAXen and Suns, as far as we know. There are three changes that we believe will immunize your system. They are attached. Thanks to the Experimental Computing Facility, Center for Disease Control for their assistance. (It's pretty late, and they certainly deserved some thanks, somewhere!) Fix: First, either recompile or patch sendmail to disallow the `debug' option. If you have source, recompile sendmail after first applying the following patch to the module svrsmtp.c: *** /tmp/d22039 Thu Nov 3 02:26:20 1988 --- srvrsmtp.c Thu Nov 3 01:21:04 1988 *************** *** 85,92 **** "onex", CMDONEX, # ifdef DEBUG "showq", CMDDBGQSHOW, - "debug", CMDDBGDEBUG, # endif DEBUG # ifdef WIZ "kill", CMDDBGKILL, # endif WIZ --- 85,94 ---- "onex", CMDONEX, # ifdef DEBUG "showq", CMDDBGQSHOW, # endif DEBUG + # ifdef notdef + "debug", CMDDBGDEBUG, + # endif notdef # ifdef WIZ "kill", CMDDBGKILL, # endif WIZ Then, reinstall sendmail, refreeze the configuration file, using the command "/usr/lib/sendmail -bz", kill any running sendmail's, using the ps(1) command and the kill(1) command, and restart your sendmail. To find out how sendmail is execed on your system, use grep(1) to find the sendmail start line in either the files /etc/rc or /etc/rc.local If you don't have source, apply the following patch to your sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS UP! This is mildly tricky -- note, some versions of strings(1), which we're going to use to find the offset of the string "debug" in the binary print out the offsets in octal, not decimal. Run the following shell line to decide how your version of strings(1) works: /bin/echo 'abcd' | /usr/ucb/strings -o Note, make sure the eight control 'G's are preserved in this line. If this command results in something like: 0000008 abcd your strings(1) command prints out locations in decimal, else it's octal. The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!! This script assumes that your strings(1) command prints out the offsets in decimal. Script started on Thu Nov 3 02:08:14 1988 okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug 0096972 debug okeeffe:tmp {3} adb -w /usr/lib/sendmail ?m 0 0xffffffff 0 0t10$d radix=10 base ten 96972?s 96972: debug 96972?w 0 96972: 25701 = 0 okeeffe:tmp {4} ^D script done on Thu Nov 3 02:09:31 1988 If your strings(1) command prints out the offsets in octal, change the line "0t10$d" to "0t8$d". After you've fixed sendmail, move both /bin/cc and /bin/ld to something else. (The virus uses the cc and the ld commands to rebuild itself to run on your system.) Finally, kill any processes on your system that don't belong there. Suspicious ones have "(sh)" or "xNNNNNNN" where the N's are random digits, as the command name on the ps(1) output line. One more thing, if you find files in /tmp or /usr/tmp that have names like "xNNNNNN,l1.c", or "xNNNNNN,sun3.o", or "xNNNNNNN,vax.o" where the N's are random digits, you've been infected. ------------------------------------------------------------------------ From: news@cs.purdue.EDU (News Knower) Subject: Re: The virus Date: 3 Nov 88 19:58:27 GMT The patch from Keith Bostic in the last message is *not* sufficient to halt the spread of the virus. We have discovered from looking at the binaries that the virus also attempts to spread itself via "rsh" commands to other machines. It looks through a *lot* of files to find possible vectors to spread. If you have a bunch of machines with hosts.equiv set or .rhosts files, you should shut them *all* down at the same time after you have fixed sendmail to prevent a further infestation. If you don't clear out the versions in memory, you won't protect your other machines. The virus runs itself with the name "sh" and then overwrites argv, so if a "ps ax" shows any processes named "(sh)" without a controlling tty, you have a problem. Due to the use of other uids from rsh, don't make any conclusions if the uid is one of your normal users. Also, check your mailq (do a mailq command). If you see any entries that pipe themselves through sed and sh, delete them from the queue before you restart your machines. Non-internet sites do not need to worry about this virus (for now!), but be aware that mail and news may not be flowing everywhere for some time -- many sites are disconnecting from the Internet completely until the virus is contained. ----------------------------------------------------------------------- From: Gene Spafford <spaf@purdue.edu> Subject: Updated worm report Date: Fri, 04 Nov 88 00:27:54 EST This is an updated description of how the worm works (note: it is technically a worm, not a virus, since it does not attach itself to other code {that we know about}): All of our Vaxen and some of our Suns here were infected with the worm. The worm forks repeated copies of itself as it tries to spread itself, and the load averages on the infected machines skyrocketed. In fact, it got to the point that some of the machines ran out of swap space and kernel table entries, preventing login to even see what was going on! The worm seems to consist of two parts. The way that it works is as follows: 1) Virus running on an infected machine opens a TCP connection to a victim machine's sendmail, invokes debug mode, and submits a version of itself as a mail message.