LJ Archive CD

Worms and Linux

Himanshu Arora

Issue #230, June 2013

Some people believe that Linux as an operating system inherently is not vulnerable to viruses and worms; others believe that Linux is not vulnerable simply because of its limited use as a desktop. The debate remains open.

Computer worms are considered to be one of the best weapons in a computer attacker's arsenal. Through these computer worms, evil-doers intrude into computer systems to destroy files, attack other computer systems, steal data and so on. The concept of a computer worm is not new; attackers have been using worms to attack computer systems for decades now. If you look back at the history of computer worms, you'll see that the computer worms that caused the most damage were directed toward the Microsoft Windows OS. Is this because of the number of Windows vulnerabilities, or is it merely due to the number of Windows users? The question remains unanswered. Meanwhile, apart from the Morris worm, very few worms have been directed toward Linux.

An Introduction to Computer Worms

A computer worm is a program that has malicious intent (that is, it can cause damage to a computer system). It can replicate itself and propagate over the network to infect other vulnerable computer systems. You also can think of a computer worm as a computer virus that requires no human action to start and that has the capabilities to self-replicate and traverse over the network.

A worm can arrive on a system through various means, such as an e-mail attachment, a downloaded file from the Internet, a file over a TCP/UDP connection from a trusted neighbor host or removable media like CDs, pendrives and so on. Once it has arrived on a system, it has three tasks to do:

  • Hide from any system-monitoring software, like antivirus software.

  • Start the actual damage for which is it is designed.

  • Send a copy of itself to other hosts on the network to infect them too.

A worm that is able to do all these tasks effectively can be a real threat to a host or a network. Developing an effective worm requires a lot of system-/network-related knowledge, and this is the reason not every computer worm is successful.

Design a Computer Worm—Wearing an Attacker's Hat

From an attacker's prospective, three things need to be considered when designing a computer worm.

1) Exploiting system vulnerabilities:

The whole idea behind developing a worm is to cause maximum damage, and this can be possible only if the worm exploits one or more system vulnerabilities. Exploits are nothing but loopholes in the standard utilities or in the OS kernel that worms can use to get the required power or privileges to compromise a computer system.

If a worm does not exploit a system vulnerability, the only way for a worm to compromise a system is to wait for the user to make some mistake. But, this requires writing a lot of code; thus, it is not considered a good design for developing a worm. Also, this design strategy does not ensure that a worm always will be successful in compromising and damaging the system.

On the other hand, if a worm exploits some vulnerability, such as a “zero-day” vulnerability (en.wikipedia.org/wiki/Zero-day_attack), it becomes very easy for a worm to compromise a system and cause maximum damage.

Note: some worms do not intend to cause any damage to the infected host (see my next point for details).

2) Stealth—the ability to remain undetected:

This also is one of the major aspects of worm design. Even a worm with the deadliest intentions can't do much damage if a system administrator or the monitoring software that runs on a host can detect it easily. So, the ability to remain undetected on a system is yet another important factor that worm authors consider. Countless worms are developed each month, but only very few become potential threats because of most worms' inferior stealth capability.

The best way for a worm to stay undetected is to piggyback itself onto a trusted process by compromising it. A trusted process is a process running on a computer system that is deemed trustworthy by the system itself, and hence, it faces minimal interference from firewalls and antivirus software running on the system. A process can become trusted if it follows the relevant standards that are set by the US Department of Defense.

Worms have other ways of hiding on a system. For example, my article in the January 2012 issue of LJ discusses a small and not-so-destructive example of a piece of code that can exploit ELF executables on a Linux system: www.linuxjournaldigital.com/linuxjournal/201201?pg=92#pg92. The design of this malicious piece of code enables it to compromise the executables on a Linux system, and each time a compromised executable is run, many other executables are compromised. Here, the malicious code remains on the system until all the affected executables are cleaned.

Some worms are designed to hide for a very long period of time on an infected host. Such worms do not intend to cause any damage to the host on which they reside. Rather, the sole purpose of these worms is to provide a back door (to each host on which they reside) to the worm author, who then controls the host remotely and activates the core of the worm at any given point of time in the future to launch DDoS attacks to a particular server. These types of attacks make it practically impossible to catch the actual attackers (worm authors) and generally are used to target government organizations and big corporations.

3) Speed and method of propagation:

Every worm has a lifetime of its own before it is nailed down. That's the reason propagation speed is one of the top priorities for worm authors. Propagation speed directly depends on the method of propagation.

One propagation method worms use is via e-mail, where worms are transmitted in the form of e-mail attachments. If you look at the intricacies of this method, you'll find that propagation speed is not very high, because all the messages have to go through e-mail servers. This adds an extra delay for a worm to reach its destination.

Another worm propagation method is to establish TCP connections directly. A TCP connection could be between an infected and non-infected host, or it could be between a non-infected host and a server where a fresh copy of a worm can be downloaded. Because TCP is a connection-oriented protocol, the three-way-handshake (en.wikipedia.org/wiki/Three_way_handshake#Connection_establishment), or the concept of acknowledgement, can cause unnecessary delays and hamper the worm's propagation speed. But, this propagation method is still faster than propagation via e-mail.

The fastest of all the propagation methods is over UDP connections. Because UDP is not connection-oriented and is not affected by network congestion, it offers speedier propagation for worms. The only drawback of using UDP is that delivery to the destination is not reliable, but that's not a real issue in the case of worms where more than one copy of a worm is sent to a host.

You may wonder why e-mail still is used as a propagation method if it has the slowest speed. E-mail provides a way for worms to reach a lot of systems through contacts, while UDP makes sure that propagation is quick. So, there is no best way of impact using either e-mail or UDP. But, if you consider a method where the worm is sent through e-mail over UDP, the worm can propagate to a large audience in no time.

Detect and Counter a Computer Worm—Wearing an Administrator's Hat

Here are some methods for detecting a worm:

  • Monitor trusted processes: you all know that non-trusted processes are monitored actively by programs like firewalls and antivirus software, and any deviation from the allowed behavior causes those processes to be quarantined and even interrupted. But, what about trusted processes? Although minimal, there are chances that a worm may attach itself to a trusted process. So, what happens in that case? Well, trusted processes also can be monitored to a certain extent. For example, each trusted process has specific work to do. If it can be monitored for any deviation from its work, worms attached to trusted processes also can be detected.

  • Monitor IP address scanning: each process that tries to do some activity over the network tries to connect to an IP address. Although legitimate processes know the IP addresses (on which the connection needs to be established), worms try to scan all the IP addresses that fall in the host's IP address space. This means that worms would try to connect to all the IP addresses in the IP address space of the host, and any good monitoring software will detect these worms.

  • Install honey pots on the network: a honey pot is a computer node on a network that is set up explicitly as a trap for intruders and malicious programs like worms. Honey pots let the intruder (or malicious program) do all the evil stuff while recording all its activities. This way, an alarm can be raised to all the nodes on a computer network, and the network administrator easily can block such unwanted activity on other nodes.

After detecting a worm, the first step should be to quarantine the process and strip off its permissions to execute code on areas like heap, stack and so on. If it continues to show the same suspicious behavior, affected processes also can be killed. Other than this, by keeping your system updated (with all the latest patches to kernel and system utilities), you can minimize the threat.

Linux Worms—Why Are There Only a Few Successful Ones?

Worms on Linux have had a limited success rate. As I mentioned at the beginning of this article, some people believe that Linux as an operating system is inherently not vulnerable to worms, and others believe that Linux hasn't been very vulnerable to worms simply because of its limited use as a desktop. The following are some points I'd like to add to this debate:

  1. Unlike Windows, most Linux users are not just end users; they know what they are doing on their Linux boxes. Linux users do not easily fall for traps like “Hey, your system has lots of viruses and trojans. Download AntiVirusFake.exe and get rid of this malware.” Also, most Linux users keep their OS updated with the latest patches, which automatically keeps viruses, worms and so forth at bay.

  2. The wall of permissions is the other factor that makes Linux a difficult place for viruses and worms. A normal Linux user account does not have much privileges at its disposal, so a worm or virus cannot do much except affect the files and executables that are limited to a single account. Also, unlike Windows, you never are encouraged to log in as administrator or root and play around all day clicking on files and executables with root privileges. The Linux philosophy is that if you want to do something that requires root privileges, acquire root privileges for some amount of time, do the required work and then return to normal user mode.

  3. Linux and even most of the software that is run on it is open source. A large number of people constantly are working to improve and polish Linux and other open-source software. This means that even if somebody is able to develop a virus or worm by exploiting a vulnerability in the Linux kernel or some popular piece of open-source software, it will take very little time for the community to fix and patch it. Bugs in the Linux kernel are fixed in no time.

  4. Unlike Windows, Linux does not follow the “brain-dead” file extension system. If a.out is an executable file on Linux, and if you try to run it, it will not run just because it has a .OUT extension. The executable bit has to be set on every executable in order to execute it. If you compare a scenario where a Windows user receives an e-mail message with an attachment named “HotBritneyWallpaper.exe”, just by clicking on the attachment, the virus/worm is installed in the system. On the other hand, in Linux, if an e-mail with a similar attachment is delivered, every user first has to save the attachment, then give execution permissions to the file in order for the file to execute. But, if the attachment boasts of just being wallpaper, why would even a normal Linux user provide the file with execution permissions? There you go—problem averted. Linux provides another layer of protection that prevents accidental execution of binary files.

  5. Linux comes packaged in various distributions like Ubuntu, Red Hat, Cent OS and so on, and each distribution has its own set of software utilities. For example, several e-mail clients are used across various Linux distributions, such as KMail, mutt, emacs, Mozilla Mail, Evolution, pine and so on. Now if an attacker writes an exploit for one of those, it's not going to impact all Linux users. So, unlike Microsoft, where an exploit for Outlook rings alarm bells all over the world, because Linux has more variety, this adds another layer of protection.

A Case Study of Some Linux Worms

In this section, I focus on two popular Linux-specific worms. Note: the Morris worm has been the most popular UNIX-based worm to date, but I don't discuss it here, because so much has been said and written about it already. Read en.wikipedia.org/wiki/Morris_worm for more information on the Morris worm.

The Linux Slapper Worm:

The Linux Slapper is a worm that targeted Linux machines running an Apache server. This worm was detected in October 2002. The Slapper worm exploits the buffer overflow vulnerability of the OpenSSL software installed on the server.

The worm starts by scanning the Internet randomly for hosts, and when it gets one, it checks whether the host can be attacked. This is done by sending an incorrect HTTP GET request to the target. If an Apache Web server is running on the target, the reply from the server would provide enough information for the worm to decide on the next step. After confirming that an Apache server is running on the host, the worm connects to port 443 (the SSL port) and tries to launch a shell (/bin/ssh) by exploiting the buffer overflow vulnerability of OpenSSL. This exploit specifically targeted Intel x86 platforms. Once the shell is launched, the worm sends a shell script containing an uuencoded copy of its own source code. Using the shell script, the source code is written to a file named .bugtraq.c in the /tmp/ folder.

Once the /tmp/.bugtraq.c file is saved, the worm depends on the availability of GCC on the host and Apache's permissions to execute the GCC compiler. If these requirements are in place, it compiles the .bugtraq.c file into an executable. This executable then is run with the IP address of the attacking computer as a command-line argument. This way, the worm propagates further by forming a peer-to-peer network. It also opens up a specific UDP port to listen and accept instructions to be carried out on/from the infected system.

The Linux Slapper worm had many variants. The A variant listens on UDP port 2002, while variants B and C listen on 1978 and 4156, respectively. The B variant also acts like a virus and corrupts some other files by overwriting them with itself. It also sends data to a yahoo.com address. The C variant also listens to port 1052 periodically and provides a shell to the attacker who is connecting to this port. Besides these differences, all three variants used different names for the files saved in the /tmp/ directory.

Detecting and removing this worm is not very difficult. All you need to do is:

  • Log in as root.

  • Stop the Apache server.

  • Go to the /tmp/ directory.

  • Stop any process that is running with the same name as the worm executable file present in the /tmp/ directory.

  • Remove the worm files (use ls -la to list the files).

Note: there is another Linux worm called DevNull that worked pretty much the same as the Slapper worm. DevNull also exploited the buffer overflow vulnerability in OpenSSL. It is sometimes referred to as Slapper variant D, but it's actually a different worm.

The Linux Lion (L10n) Worm:

The Linux L10n worm, also known as the Lion worm, was written by a Chinese hacker named Lion. He created this worm to warn the Japanese education department of controversial books being used in Japanese schools. According to the worm author, these books proclaimed the war crimes done by the Japanese against China and Korea as “legitimate”.

The worm exploited a TSIG buffer overflow vulnerability in the BIND (Berkeley Internet Name Domain) server software. BIND server software is used to provide instructions to domain name servers (DNS) to convert Web addresses into IP addresses. The Lion worm scans port 53 of the class B network IP addresses, and if it finds a name server running on the target, it launches its BIND exploit on the target. If the exploit is successful, a copy of the worm is downloaded in form of a package. This package then is extracted and the startup scripts are executed.

The infected machines send the root passwords to a Web site hosted in China where the attackers tried to decrypt the password and gain administrative-level access to the infected systems. Reportedly, the worm also created “back doors” for attackers to gain complete access to the infected system.

The Lion worm installed a rootkit in the infected systems in order to hide itself from being detected. This made system administrators' jobs really difficult. The SANS (System Administration, Networking and Security) institute created a program known as “Lionfind” for sysadmins to detect whether the Lion worm is present on a suspected machine.

This worm installed the following files on a Linux system:

  • /bin/in.telnetd

  • /bin/mjy

  • /bin/ps

  • /bin/netstat

  • /bin/ls

  • /etc/inetd.conf

  • /sbin/ifconfig

  • /usr/bin/find

  • /usr/sbin/nscd

  • /usr/sbin/in.fingerd

  • /usr/bin/top

  • /usr/bin/du

And, to hide its footprints, the worm deleted these files:

  • /.bash_history

  • /etc/hosts.deny

  • /root/.bash_history

  • /var/log/messages

  • /var/log/maillog

Experts believe that this worm cannot be removed, and infected systems have to be re-formatted in order to clean out the worm.

Antivirus, IDS and IPS Products for Linux

Linux is now the “most-used OS” on servers, and its popularity on desktops is growing day by day. With this increasing acceptance, Linux is gaining more attention from attackers and intruders. More and more viruses, worms, trojans and so on are being made for Linux these days. Although the success rate of Linux malware is low at the moment, this is no excuse for not protecting Linux-based systems, especially if they are being used in sensitive and critical areas.

Many companies actively are working to provide quality antivirus programs for Linux-based systems, such as Computer Associates, Kaspersky, Trend Micro, Sophos, F-Secure and Symantec.

Apart from antivirus software, some products are available that are based on advanced technologies like intrusion detection systems (IDSes) or intrusion prevention systems (IPSes).

An intrusion prevention system uses an intuitive approach to detect and prevent system intrusion attempts directed at a host. An IPS system scans the data flowing to and from a host, and based on its detection system, it detects any suspicious activity taking place on a host or on a network. Unlike firewalls, IPS systems also check the outbound packets from the host.

The detection methods used are:

  • Signature method.

  • Profile method.

  • Stateful protocol method.

Some free and open-source IPS products are Snort, OSSEC and Suricata.

Read www.ibm.com/developerworks/library/se-intrusion to learn more about this technology, how it works, what detection techniques it uses and some free and open-source IPS products.

Conclusion

Computer security, as you all know, is a process. It is not a product you can purchase and then forget about. Still, you can make good choices and follow best practices so that your systems suffer the least. Today, Linux is the best choice if you want to build a stable and secure host or network environment. But, with the growing popularity of the Linux OS, attacks and intrusions will increase, so be safe!

Himanshu Arora is a senior software engineer at STMicroelectronics, India. Most of his experience is on Linux system programming and network protocols, but his goal is to study Linux in its entirety. In his free time, Himanshu writes articles on topics ranging from Linux administration to Linux security. His articles have been featured on IBM DeveloperWorks and in Smashing Magazine and Linux Journal.

LJ Archive CD