Feeds

‘Friendly’ Cheese worm reveals many compromised boxes

And it's a tiny step from being highly destructive, too

  • alert
  • submit to reddit

Top three mobile application threats

The so-called 'cheese worm' has attracted a great deal of attention in the past 24 hours for its benign payload, which seeks to mend Linux boxes infected with at least one version of the li0n worm (which exploits a BIND vulnerability). However, it also demonstrates that there's a large number of already-compromised machines connected to the Net; and furthermore, a tiny modification to its code could render it immensely destructive.

The worm scans for machines with a secure root shell listening on TCP port 10008, as set up by a variant of the li0n worm. If the shell exists, cheese will install in the directory /tmp/.cheese and execute a script thus:

/tmp/.cheese/go:
#!/bin/sh
nohup ./cheese $1 1>/dev/null 2>&1 &

Cheese reads the file inetd.conf and rewrites it, deleting any line that contains the string /bin/sh. It then restarts inetd, with all /bin/sh processes killed indiscriminately.

"Until the 'cheese' process is somehow killed, it repeats a cycle of scanning semi-random /16 (e.g., class B) network blocks for hosts listening on TCP port 10008 using the 'psm' program," a detailed incident report by the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University explains.

The first octet of the address may be from 193 to 218; and the second may be from 1 to 254, Cert/CC says.

What's most interesting here is that cheese may be the first worm which automates the exploitation not of an existing vulnerability, as most do, but of an existing compromise.

"This is perhaps the first successful example of this type of exploit," CERT/CC artifact analysis team leader Kevin Houle told The Register.

Houle believes that the example here, while relatively harmless in itself, is alarming.

"We've seen an increase in reconnaissance (scanning) related to port 10008," he observes -- an increase which strongly implies activity by the cheese worm.

That, in turn, implies that there is quite a large number of machines already compromised, whose owners remain blithely ignorant of the fact. Call it proof-of-concept that the Net is teeming with already-rooted boxes.

He also emphasizes that it would be child's play to modify cheese for extremely destructive activity. Developing destructive exploits for existing compromises is not a trend Houle would like to see carried forward -- and we'll just second that ourselves. ®

Top three mobile application threats

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.