The Cheese worm: A welcome helper?
System administrators worldwide reported signs Wednesday that another self-spreading program--or worm--had started to infect Linux systems.
This worm appears to be different, however: Dubbed the Cheese worm, the program is basically a self-spreading patch. It enters servers that have already have been compromised by a previous bit of malicious code--the 3-month-old 1i0n worm--and closes the back door behind it, adding security to the system.
"In some cases, yes, it will remove the back door," said Kevin Houle, leader of the artifact analysis team at the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University. "Yet many Linux systems use different (Internet) files. The worm's commands will fail on those types of systems."
However, for many computers compromised by the 1i0n worm, the Cheese worm will fix the problem and then use the server to scan for other vulnerable computers connected to the Internet.
That doesn't mean that such a "patch worm" is good, Houle said. "The idea of a patch worm is a nice thought, but it is not a solution," he said. "Essentially, it's doing the same thing that any intruder does, which is to modify a system in an unauthorized way and use it to attack other sites."
Although Houle did not know how widely the worm has spread, he believed it's moving quickly.
Over the last few months, Linux worms have spread across the Internet, infecting systems with unpatched security holes.
In January, the Ramen worm compromised servers and defaced Web pages. In March, the 1i0n worm squirmed onto the Internet from China, and reported information necessary to locate hacked machines to an e-mail address in China.
Later two more worms, known as the Adore worm and the Sadmind/IIS worm, caused similar problems.
Such worms work by exploiting vulnerabilities in applications that run on Linux--and in the case of the Sadmind/IIS worm, Solaris and Windows NT servers--such as file-transfer applications, Internet printing programs and remote administration tools.
Linux systems can have a large number of such applications that wait for data coming from the Internet. Such programs--also known as services--listen to data addressed to particular addresses or "ports" on the server, many of which have been standardized by the Internet community. Web servers wait for data on port 80 and 8080, for example.
A back door installed by the 1i0n worm waits for data on port 10008. The Cheese worm takes advantage of the back door and infects the system. After closing the door behind it, it scans for other systems with port 10008 "open."
The Cheese worm's search for vulnerable machines has attracted the attention of several security administrators. In postings to the Incidents mailing list run by SecurityFocus.com, several people reported encounters with the worm or the results of its widespread scanning.
"My (firewall logs) went insane last night with gazillions of connection attempts to port 10008," said one person posting to the list.
In a file that the Cheese worm leaves on infected servers and which was subsequently posted to the Incidents list, the author wrote:
# removes rootshells running from /etc/inetd.conf
# after a l10n infection... (to stop pesky haqz0rs
# messing up your box even worse than it is already)
# This code was not written with malicious intent.
# Infact, it was written to try and do some good.
But Roger Thompson, technical director of malicious code research for security services firm TruSecure, stressed such programs are generally a bad idea.
"I would rather not have anything that comes in uninvited and messes with my computers," he said.