Sadmind
Sadmind
Type Internet worm
Creator
Date Discovered 2001.05.08
Place of Origin China
Source Language Perl, Shell Script
Platform Solaris, Microsoft IIS*
File Type(s) .tar, .sh, .pl, ELF
Infection Length 351,234 bytes
Reported Costs

Sadmind is an internet worm that infects Solaris servers and is also able to modify pages on Microsoft IIS servers running on Windows 2000 and NT. It exploited flaws that had been patched by both Microsoft and Sun Microsystems for over a year, highlighting the importance of always getting system updates as soon as they come out. It appeared shortly before the CodeRed worm and may be related.

Behavior

Sadmind finds new systems to infect by generating IP addresses. It tests each address to see if there is a portmap service listening on port 111. When it finds a system meeting these conditions, it checks whether the system is running the sadmind remote administration service (from which the worm gets its name).

It can gain the privileges of this program (almost always root) by exploiting a buffer overflow vulnerability. It overwrites the stack pointer of a sadmind process, and acquiring its priviliges. When the worm compromises a new host, it sends a copy of itself as "uni.tar" (.tar is a common UNIX archive format, like .zip).

It creates a directory in /dev called /cuc and extracts its 16 files there. It may have a 17th file, a Unix crash core file. 6 of the files are Sparc ELF executables, which include:

  • brute (created by a hacker called "elux", a brute-force wrapper for the exploit)
  • sadmindex-sparc - created by "Cheese Whiz", the exploit
  • grabbb - created by "scud" of the group "teso", searches for Solaris and IIS servers

The next three ELFs are common Unix tools:

  • gzip - a compression/archive utility, used to create "uni.tar"
  • nc - the netcat utility, for reading from and writing to network connections
  • wget - a tool for downloading files from remote ftp and http servers

Four are shell scripts:

  • sadmin.sh - identifies and exploits systems vulnerable to the sadmind exploit
  • start.sh - starts the worm's main files
  • time.sh - handles terminating sessions created by the worm in its attacks on IIS servers, as well as delivering the payload on the Solaris system
  • uniattack.sh - identifies systems offering webservice on port 80. It executes grabbb and ranip.pl

Two are Perl scripts:

  • ranip.pl - generates the random number tob be used for the IP addresses
  • uniattack.pl - uses 14 different URL strings to crack the IIS server

The rest are text and one html:

  • cmd1.txt - both files beginning with cmd contain commands to b e executed on the next computer to be infected.
  • cmd2.txt
  • pkgadd.txt
  • index.html - the web page that sites are defaced with

It starts 5 instances of sadmin.sh and uniattack.sh, and one instance of time.sh. The worm installs a root shell on port 600 of the remote machine. It creates a file named .rhosts in the root user's directory containing "+ +", nullifying the authentication via rlogin/rsh/etc. The worm modifies the file S71rpc in /etc/rc2.d so the worm starts when the system starts up.

Sadmind.png
Sample Sadmind-defaced page

Sadmind then creates another directory in /dev called /cub, in which it stores its own logs and interprocess communication files. As many of Sadmind's functions are written in Perl, it downloads and installs Perl version 5.005 from the Chinese FTP site "bak-px.online.sh.cn".

It searches for IIS servers on the internet. The worm attempts to exploit a vulnerability in Microsoft IIS servers that allows crackers or programs to pass unicode characters to the server in order to make it execute programs that are restricted to unpriviliged users. With the help of this exploit, it is able to overwrite all pages on the server named "index.html" with its own page. After it has infected 2,000 IIS servers, it kills the uniattack.sh process and replaces the "index.html" page on the Solaris server with the same copy.
Sadmind begins searching for new systems to infect. It generates radom IP addresses and checks if they are running a portmap service. The first two numbers of the IP address are those of the system it is currently on. It generates all other combinations for the last two.

Effects

The Sadmind worm infiltrated British TV news network ITN, as well as about 8,800 other internet servers (as found on a worm on one system alone). Half of the sites that could even be reached after being attacked by the worm were defaced. the greater share of these websites were personal sites.

Variants

Sadmind has two very minor known variants. The only difference between the Sadmind.C variant and the original is that the page used to overwrite index.html on Solaris systems is different from the one for MS IIS servers. The page for the MS IIS servers stays the same.

Other Facts

Sadmind may have been a weapon in a crack war between the PoizonBOx. PoizonBOx is a group of American hackers that attack and deface Chinese Web sites. The message displayed on defaced websites is similar to one that Chinese crackers used in defacing American websites. Defaced websites (by the crackers, not the worm) include the National Institutes of Health, the U.S. Navy, the California Department of Energy, and the U.S. Department of Labor, as well as many corporate Web sites.

There was some speculation that the Chinese government may have been behind it, as cracking carries a death sentence in China. Aside from the hacker war, other suggested reasons for the worms existence include the Hainan spy plane incident, the NATO bombing of the Chinese embassy in Belgrade.

Sources

Costin Raiu, Kaspersky Labs Romania. Viruslist.com, "Worm.SunOS.Sadmind". 2001.05.22

-. Kaspersky Labs, One Sad Mind.

Brian R. Schachte. SANS Institute, Malware FAQ: Sadmind/IIS Worm

Sami Rautiainen. F-Secure Antivirus, Sadmind. 2001.05

CERT, CERT® Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind 1999.12.14-2000.03.02

CERT, Vulnerability Note VU#111677. 2000.10.10-2001.09.18

Thomas C Greene. The Register, "Worm puts old IIS attack in full-auto mode". 2001.05.08

Robert Lemos. CNet News, "Worm crawls through thousands of servers". 2001.05.10

Brian Martin. Attrition.org, Defaced Commentary - 8000 Machines hit by sadmind/IIS worm.

Robert Lemos. CNet News, Defacements rise in China hacker war. 2001.04.30

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License