This document is an analysis performed for the Honeynet Projects Scan of the Month for November 2002.
I have downloaded the .unlock file. It matches his MD5 checksum a03b5be9264651ab30f2223592befb42. Using the file command, we learn that .unlock is gzip compressed data, deflated, last modified: Fri Sep 20 12:59:04 2002, os: Unix. In fact, it's a .tar.gz generated Fri Sep 20 12:59:04 2002.
tar tvzf .unlock -rw-r--r-- root/wheel 70981 2002-09-20 15:28:11 .unlock.c -rw-r--r-- root/wheel 2792 2002-09-19 23:57:48 .update.c
.unlock.c is the worm source code.
From the comment inside the code source, it has been created by contem@efnet with some modification by aion.
Its version is 20092002, September 20 2002. This date is compatible with the date from question 1.
It's the Modap worm 020916-Analysis-Modap.pdf
This worm is based on the scalper worm.
The process name is httpd . The name is overwritten by the worm, it's a very common trick.
#define PSNAME "httpd " strcpy(argv[0],PSNAME);
The sh() function creates a /tmp/.unlock.uu file with an uuencoded copy of /tmp/.unlock.
/tmp/.unlock is uudecoded as /tmp/.unlock.
/tmp/.unlock is untar-gzipped. The two C source files are compiled as /tmp/httpd and /tmp/update.
The files are runs.
After that, /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd /tmp/update are deleted.
The only remaining file on the infected machine is /tmp/.unlock. This file is used by the worm to propagate itself.
The worm scan the TCP port 80. If it find an opened http port, it will call the exploit() function.
#define SCANPORT 80 atcp_sync_connect(&clients[n],srv,SCANPORT);
The worm checks if the server is an Apache.
void exploit(char *ip) {
int port = 443;
int i;
int arch=-1;
int N = 20;
ssl_conn* ssl1;
ssl_conn* ssl2;
char *a;
alarm(3600);
if ((a=GetAddress(ip)) == NULL) exit(0);
if (strncmp(a,"Apache",6)) exit(0);
It will try to connect to TCP 443 port, the HTTPS port. The exploit has hardcoded offset for different Apache version for Gentoo, Debian, RedHat, SuSE, Mandrake and Slackware, 1.3.6 for the oldest and 1.3.26 for the newest. It tries to exploit an Apache OpenSSL handshake exploit,
*(int*)&overwrite_next_chunk[156] = cipher; *(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12; *(int*)&overwrite_next_chunk[196] = ciphers + 16; send_client_hello(ssl2); get_server_hello(ssl2); send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);
It exploits the OpenSSLv2 malformed client key remote buffer overflow BID 5363.
When the worm is run, it send a mail to aion@ukr.net (mailme() function)
with the hostid, the hostname of the newly infected server and the ip of the host attacker.
The worm listens on UDP port 4156. It uses its own P2P protocol with a week encryption mechanism.
One of its function is to scan the computer file for email address (function StartScan()).
.update.c is the C source code of
a remote shell backdoor listening on TCP port 1052 protected by the password
aion1981. Its author is aion (aion@ukr.net).
The program will accept connexions during 10 (UPTIME) seconds. After the 10 seconds, it close the listening port and waits 5 minutes (SLEEPTIME=300) before listening again. It's become difficult to find this open port because it's listening only 1/30 of the time. It's an easy method to hide the network listening process when it can't open raw socket. (See Reverse Challenge) Remark: The accept() syntax isn't correct. The third argument must be a pointer to an integer where is stored the client size address. We should have the following code:
int len= sizeof(client_addr); soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &len);
Christophe GRENIER Security Consultant Global Secure mail me personally or at work