Net-Worm.Linux.Cheese (Kaspersky Lab)
is also known as:
Worm.Linux.Cheese (Kaspersky Lab),
Linux/Cheese.worm (McAfee), Linux.Cheese.Worm (Symantec), Linux/Cheese (Sophos), Worm:Linux/Cheese* (RAV), PERL_CHEESE.A (Trend Micro), Linux/Cheese.CHEESE (H+BEDV), Unix/Cheese (FRISK), UNIX:Malware (ALWIL), Worm.Linux.Cheese (SOFTWIN), Worm Generic (Panda), Linux/Cheese.A (Eset)
Text written by Costin Raiu, Kaspersky Lab, Romania
This is an Internet worm that replicates between systems that were previously
hacked by the "Ramen"
Linux worm, and not the "Lion" or "Adore" worms as it is stated in other various
descriptions, or the worm itself.
(see the text below) "Cheese" will also act as a "security patch" that removes
the backdoors added by previous attacks, but it will not remove or patch the
vulnerabilities used to hack the respective systems; thus, the machines will
still remain vulnerable to the original attack(s) used to compromise them. The
worm contains the following text:
> # removes rootshells running from /etc/inetd.conf
> # after a l10n infection... (to stop pesky haqz0rs
> # messing up your box even worse than it is already)
> # This code was not written with malicious intent.
> # Infact, it was written to try and do some good.
No matter how good the original intention of the author was, "Cheese" remains
a piece of replicative "malware" that eats up resources such as CPU, memory,
disk space or Internet bandwidth from infected systems; thus,
remaining a "bad thing".
Technical details
The worm consists of three program files named "cheese", "go" and "psm". "go"
is the worm's "entrypoint", that basically executes the main worm body, "cheese",
in such a way that makes it immune to signals, which might attempt to halt it.
"cheese", a 2Kylobytes-long Perl script, is the main part of the
worm, the one responsible for the replication.
When run, it will first scan "/etc/inetd.conf" for services attempting to
execute "/bin/sh", mostly
root-shell backdoors, and remove them. Obviously, if a root shell has been added
to the newer-style "/etc/xinetd.conf", the worm will not
notice it, and leave it untouched.
Next, it will generate a random 16-bit
IP base, such as "a" and "b" in the "a.b.x.y", then it will use an external
Linux ELF program to scan the respective Internet IP class for hosts listening
on port 10008. Usually, these are hosts that have been previously
hacked by the "Ramen"
worm, hosts that run an open root shell on the
respective port.
So, when such a host is found, the worm will execute a
small installation script on the remote host that will create a directory named
"/tmp/.cheese", and it will launch an instance of the popular Lynx browser to
download a copy of the worm from the infected system. The worm itself will listen
for the connection attempt on the source system, and
forward an UUE-encoded copy of itself to the remote caller. The installation
script running on the target system will decode the worm body, unpack it in
the "/tmp/.cheese" directory, and eventually execute the "go" script to
launch the worm, which propagates the infection further.
