No subject


Thu Nov 23 16:36:19 EST 2017


Description

Adore is a worm that we originally called the Red Worm. It is similar to the
Ramen and Lion worms. Adore scans the Internet checking Linux hosts to
determine whether they are vulnerable to any of the following well-known
exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default
on Red Hat 7.0 systems. From the reports so far, Adore appears to have
started its spread on April 1. 

Adore worm replaces only one system binary (ps), with a trojaned version and
moves the original to /usr/bin/adore. It installs the files in /usr/lib/lib
. It then sends an email to the following addresses: adore9000 at ...1737...,
adore9000 at ...135..., adore9001 at ...1737..., adore9001 at ...135... Attempts have
been made to get these addresses taken offline, but no response so far from
the provider. It attempts to send the following information: 

      /etc/ftpusers 
      ifconfig 
      ps -aux (using the original binary in /usr/bin/adore) 
      /root/.bash_history 
      /etc/hosts 
      /etc/shadow 

Adore then runs a package called icmp. With the options provided with the
tarball, it by default sets the port to listen too, and the packet length to
watch for. When it sees this information it then sets a rootshell to allow
connections. It also sets up a cronjob in cron daily (which runs at 04:02 am
local time) to run and remove all traces of its existence and then reboots
your system. However, it does not remove the backdoor. 




More information about the Snort-users mailing list