Feeds

‘Friendly’ Cheese worm reveals many compromised boxes

And it's a tiny step from being highly destructive, too

  • alert
  • submit to reddit

Internet Security Threat Report 2014

The so-called 'cheese worm' has attracted a great deal of attention in the past 24 hours for its benign payload, which seeks to mend Linux boxes infected with at least one version of the li0n worm (which exploits a BIND vulnerability). However, it also demonstrates that there's a large number of already-compromised machines connected to the Net; and furthermore, a tiny modification to its code could render it immensely destructive.

The worm scans for machines with a secure root shell listening on TCP port 10008, as set up by a variant of the li0n worm. If the shell exists, cheese will install in the directory /tmp/.cheese and execute a script thus:

/tmp/.cheese/go:
#!/bin/sh
nohup ./cheese $1 1>/dev/null 2>&1 &

Cheese reads the file inetd.conf and rewrites it, deleting any line that contains the string /bin/sh. It then restarts inetd, with all /bin/sh processes killed indiscriminately.

"Until the 'cheese' process is somehow killed, it repeats a cycle of scanning semi-random /16 (e.g., class B) network blocks for hosts listening on TCP port 10008 using the 'psm' program," a detailed incident report by the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University explains.

The first octet of the address may be from 193 to 218; and the second may be from 1 to 254, Cert/CC says.

What's most interesting here is that cheese may be the first worm which automates the exploitation not of an existing vulnerability, as most do, but of an existing compromise.

"This is perhaps the first successful example of this type of exploit," CERT/CC artifact analysis team leader Kevin Houle told The Register.

Houle believes that the example here, while relatively harmless in itself, is alarming.

"We've seen an increase in reconnaissance (scanning) related to port 10008," he observes -- an increase which strongly implies activity by the cheese worm.

That, in turn, implies that there is quite a large number of machines already compromised, whose owners remain blithely ignorant of the fact. Call it proof-of-concept that the Net is teeming with already-rooted boxes.

He also emphasizes that it would be child's play to modify cheese for extremely destructive activity. Developing destructive exploits for existing compromises is not a trend Houle would like to see carried forward -- and we'll just second that ourselves. ®

Security for virtualized datacentres

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Big Content outs piracy hotbeds: São Paulo, Beijing ... TORONTO?
MPAA calls Canadians a bunch of bootlegging movie thieves
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Lawyers mobilise angry mob against Apple over alleged 2011 Macbook Pro crapness
We suffered 'random bouts of graphical distortion' - fanbois
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.