|Place of Origin||Germany?|
|Infection Length||7,427 Bytes|
Adm is the first Linux worm. It is likely from Germany and was created by a group whose only other claim to fame is hacking a Defcon page. It is known to have infected systems in the US, though beyond this, it is uncertain how far it got. It was a precursor to the few Linux worms such as Ramen and Lion.
A system targeted by Adm will receive a specially crafted packet on tcp port 53. The packet exploits a buffer overflow in the BIND DNS server and allows the code to run with root privileges.
Adm creates the user account w0rm with no password and a suid shell with root privileges in the /tmp directory named .w0rm on the target machine. It deletes the hosts.deny file in /etc to prevent it from blocking requests from any IP address. The exploit then downloads the file named ADMw0rm.tgz, containing the main body of the worm.
When a system is infected, the worm sends an email to the address moc.liamtoh|bmsmda#moc.liamtoh|bmsmda, notifying the person with access to this email address that the system has been successfully infected. It removes the index.html page (the starting page of a website) and replaces it with an index.html page containing the sentence "The ADM Inet w0rm is here ! ".
To look for new systems to infect, Adm starts with a random IP address works its way from there, scanning all addresses up to 126.96.36.199. For each address, it checks id port 53 is active and if it supports IQUERY. If so, it sends its exploit code to the target computer at that IP address.
The worm was wild at at least one location in March of 1999. It infected a Red Hat Linux box in America. The administrator was alerted to the problem when an administrator in Russia reported the American's systems portscanning one of the Russian's subnets.
The Adm worm was created by the short-lived Adm Crew, which produced a number of hacks and exploits in the late 1990's and early 2000's. The Adm Crew may be just as famous for the worm as their cracking of the DefCon (a convention of hackers) page in 1999, inserting a joke about airline prices and the US president attending the convention. A party the group held in Berlin in early August suggests the group is from Germany.
Max Vision. Whitehats Network Security Reference, A Brief Analysis of the ADM Internet Worm.
Kaspersky Lab. Securelist, Net-Worm.Linux.Adm. 2001.03.31
Tim Clark. CNet News, Hackers attack their own kind. 1999.07.09
Ben Cantrick. ADM Worm. Worm for Linux x86 found in wild. 1999.03.25