From Sun-Nets-request@brillig.umd.edu  Fri Nov  4 18:18:29 1988  
Received: by brillig.umd.edu (5.58/4.7)
	id AA06820; Fri, 4 Nov 88 18:18:29 EST
Date: Fri, 4 Nov 88 18:15:19 EST
From: Steve D. Miller <steve@mimsy.umd.edu>
Message-Id: <8811042315.AA26025@mimsy.umd.edu>
To: dcslug@mimsy.umd.edu, sun-nets@brillig.umd.edu
Subject: A virus recap.. let's try again!
Cc: sundc!joel@sun.com
Sender: Sun-Nets-request@brillig.umd.edu

   I wanted to take some time to pass along to all of you some more
information about the recent Internet viral infection.  The virus' basic
mode of operation has largely been figured out, courtesy of a number of
people around the Internet.  (I'm being vague here because I'm in a hurry.
I have a lot more mail sitting around on this topic, but I haven't had the
time yet to sort through it and come up with something coherent.  I'm trying
to pass along important factoids now, and will try to provide more details
later.)  There are two basic methods of infection:

        1) The virus uses the sendmail pseudo-SMTP command "debug", in
        conjunction with some other things, to start up a shell on the
        victim machine.  This works on VAXen and Suns.

        2) The virus exploits a bug in the finger daemon to lay down a new
        stack frame and then jump to it.  This new frame starts a shell.
        This works only on VAXen, though it seems possible to me that
        someone could someday write a version that might work on Suns.

   Once the virus gets a shell, it sucks over a number of files from the
machine infecting this victim.  These executables do the following:

        1) Use the output of netstat -n -r, along with /etc/hosts (or the
        hosts YP map) and various .rhosts-type files to pick its next
        targets.

        2) Use either a built-in dictionary or /usr/dict/words to try to
        crack passwords by brute force.  Once accounts are cracked, their
        .rhosts files are used in an attempt to "guess" where other
        potential victims reside.  (After all, if foo@bar.com is in your
        .rhosts, you're probably in foo@bar.com's .rhosts, too...)  It then
        rshes across and starts cracking and spreading once again.

   There are a few different things you can do to protect yourself.  First,
I suggest turning off fingerd, just to be safe.  Moving the binary from
/etc/fingerd (or /usr/etc/fingerd, or /usr/etc/in.fingerd, depending on what
system you're using) to someplace else will certainly do the trick.  There
is a source fix for this, but no binary fix at present.  The latest 4.3BSD-
tahoe sources for fingerd were just posted to comp.bugs.4bsd.ucb-fixes last
night.  A more recent version of the new fingerd posting is reproduced below.

   In terms of fixing the sendmail problem, there are a number of
approaches.  First, you can use strings -o to find out where the string
"debug" (all lower case) resides in your sendmail binary.  You can then adb
that string to say "showq".  Alternatively, you can run emacs on the
sendmail binary, search for debug, and make the change by hand.  Here's more
information on the source and binary patches; if you don't have a "debug"
string in your sendmail, you're *probably* OK...

	-Steve

Spoken: Steve Miller    Domain: steve@mimsy.umd.edu    UUCP: uunet!mimsy!steve
Phone: +1-301-454-1808  USPS: UMIACS, Univ. of Maryland, College Park, MD 20742

-----  Here's the sendmail binary patch information.  To fix the sources,
just put an #ifdef notdef ... #endif around the "debug" command string in
srvrsmtp.c.  Ignore the finger stuff in this posting.  
-----
Date: Thu, 3 Nov 88 19:19:23 PST
From: bostic%okeeffe.Berkeley.EDU@ucbvax.Berkeley.EDU (Keith Bostic)
To: tcp-ip@sri-nic.arpa
Subject: Virus posting #3


Subject: Virus posting #3
Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD

Description:
	The recently reported worm appears to also be using the
	fingerd(8) daemon to enter systems.  Here's a fix.

	The previous patch for sendmail(8) on binary systems only
	prevented the current attacker.  The attached patch fixes
	the problem.
Fix:
	Re-patch sendmail.  Recompile and reinstall the attached
	source for fingerd(8).

	Here's a script to repatch sendmail.  Note, this only applies
	to binary systems, if you have source you should have recompiled
	and reinstalled it already.  You should start with the original
	sendmail binary, NOT the binary that you've already patched.
	AND, REMEMBER, ALWAYS SAVE AN EXTRA COPY IN CASE YOU MAKE A
	MISTAKE!!  Finally, if you don't find the string ``debug'' in
	your sendmail binary, you don't have a problem; ignore this patch.
	This patch essentially makes it impossible to set the debug flag.

	Note, your offsets as printed by adb may vary!  Comments are
	preceded by a hash mark, don't type them in, nor expect adb
	to print them out.  Also, we're again using strings(1) to find
	the decimal offset in the file of certain strings.  To find 
	out if your strings(1) command prints offsets in decimal, 
	put 8 control (non-printable) characters in a file, followed
	by four printable characters, and then use strings(1) to find
	the offset of your four printable characters.  If the offset
	is ``8'', it's using decimal, if it's ``10'' it's using octal.
	
		Script started on Thu Nov  3 18:45:34 1988
# find the decimal offset of the strings ``debug'' and ``showq'' in the
# sendmail binary.
		okeeffe:tmp {2} strings -o -a sendmail | egrep 'debug|showq'
		0097040 showq
		0097046 debug
		okeeffe:tmp {3} adb -w sendmail
# set the map, then set the default radix to base 10
		?m 0 0xffffffff 0
		0t10$d
		radix=10 base ten
# check to make sure that strings(1) was right, and then find out what
# the byte pattern for ``showq'' is for your machine.  Note that adb
# prints out that byte pattern in HEX!
		97040?s
		97040:		showq
		97040?Xx
		97040:		73686f77	7100
# check on the string ``debug'', then, overwrite the first four bytes,
# move up 4 bytes, and then overwite the last two bytes with the byte
# pattern seen above for ``showq''.
		97046?s
		97046:		debug
		97046?W 0x73686f77
		97046:		1684365941	=	1936224119
		.+4
		.?w 0x7100
		97050:		26368	=	28928
# check to make sure we wrote out the correct string.
		97046?s
		97046:		showq
		okeeffe:tmp {4} strings -o -a sendmail | egrep 'debug|showq'
		0097040 showq
		0097046 showq
		okeeffe:tmp {5}
		script done on Thu Nov  3 18:47:42 1988


(Editor's note:  the corrupted version of fingerd has been removed from
this message, as it won't do you any good, anyway.  SDM)
