Adore is a worm, that spreads in Linux systems using four diffrent,
known vulnerabilities already used by Ramen and Lion worms. These
vulnerabilities concern BIND named, wu-ftpd, rpc.statd and lpd
services.
When Adore is running, it scans for vulnerable hosts from random Class
B subnets on the network. If vulnerable host is found, attempts to
download the main worm part from a web server located in China, in a
similar way that Lion worm does.
After the worm has been downloaded to the victim machine, it is stored
in to "/usr/local/bin/lib/" directory and "start.sh" is executed
launching the worm.
At the start, "start.sh" replaces "/bin/ps" with trojanized version
that does not show processes that are part of the worm. The original
"/bin/ps" command is copied "/usr/bin/anacron".
The script also replaces "/sbin/klogd" with a version that has a
backdoor. The backdoor activates when it receives a ping packet with
correct size, and opens a shell in the port 65535. Orginal "klogd"
will be saved to "/usr/lib/klogd.o".
The worm sends sensitive system data, including contents of the
"/etc/shadow" file to four different email addresses.
Adore also creates a script file "/etc/cron.daily/0anacron". This file
will be executed by the cron daemon with the next daily run. At this
time, the worm will remove itself from the system and restore the
original "/bin/ps". All worm related processes except the backdoor
will be shut down, and the system will be restarted if
"/sbin/shutdown" exists. The backdoor will start after the system has
been restarted as the "/sbin/klogd" still contains the backdoor.
All four vulnerabilities have been already fixed by different Linux
vendors. Further information is available at:
![](/images/pixel.gif"){kind=tracking}
