Scan of the Month Answers

1. The .unlock file is a gzip-compressed tar archive. According to the gzip timestamp, it was created on September 20 2002 at 03:59:04. It contains two C language source code files.
2. According to the comments in the source code, the worm was originally created by contem@efnet, and later modified by aion@ukr.net. The VERSION macro defined in the file .unlock.c has the value 20092002, which is apparently another reference to the date of creation of the worm, September 20 2002. The timestamp on the source code file is September 20 2002 06:28:11, which is after the time of creation of the compressed archive. This does not make sense; one or both timestamps must be in error.
3. The worm sets its process name to "httpd" when it is running, in an attempt to keep the administrator of the infected system from becoming suspicious.
4. When the worm succeeds in exploiting a vulnerable machine, it sends the .unlock file to the target encoded using the same method as uuencode. The following files are created in /tmp during the infection:
   • .unlock.uu
   • .unlock
   • .unlock.c
   • .update.c
   • httpd
   • update
   Once the infection is complete and the newly created httpd and update daemons have been started, all files are deleted except for .unlock, which is kept so it can be copied to newly infected machines. The nature of that file is obscured by overwriting its first few bytes with nulls.
5. The worm scans port 80 (http) looking for web servers.
6. When a server is found, the worm attempts to connect to it on port 443 (https) and exploit a bug in the handling of the client key value in version 2 of the SSL protocol (BugTraq ID 5363). The exploit is designed to work against the Apache web server on Intel x86-based servers running Debian, Gentoo, Mandrake, Red-Hat, Slackware, or SuSE Linux. The BugTraq database notes that a worm has been discovered in the wild which uses this vulnerability to propagate and includes peer-to-peer and distributed denial-of-service capabilities; perhaps this is that worm.
7. After infecting a host, the worm sends e-mail to aion@ukr.net containing the following information:
   • Host ID of the infected machine, as returned by gethostid(1). This value is usually based on the host's IP address.
   • Host name of the infected machine, as returned by gethostname(1).
   • IP address of the host that infected this one.
8. The worm communicates with other infected machines on UDP port 4156.
9. A number of denial-of-service attacks are built into the worm. It can:
   • Flood a given address with UDP packets addressed to a particular port, or to random ports.
   • Bombard an address with many TCP connection requests (SYN flood).
   • Send a large number of DNS queries to a name server.
10. The .update.c program is a back door that gives root access to the infected machine. It listens to TCP port 1052. The back door is protected by a simple password which is hardcoded into the program.
11. In order to avoid showing up in netstat listings of open ports, the back door is not kept open at all times. It listens for new connections for UPTIME seconds, then closes the port and sleeps for SLEEPTIME seconds. Then it reopens the port and repeats the process.