Answer to StoM Scan 25

 

Prepared by Chan Chun Fai, Vincent Ip and Ricci Ieong

Tools

§         Md5sum

 

Analysis Methodology

Verification of the source

After downloaded the “.unlock” from the honeypot challenge web page, we immediately verified the MD5 checksum of the “.unlock” against the value in honeynet web page..

C:\>md5sum .unlock

a03b5be9264651ab30f2223592befb42 *.unlock

 

Afterwards, we performed the file type analysis. >From that results, we confirmed that the “.unlock” file is a .tgz file.

By looking directly into the Modified Access and Created time, we confirmed that the file was created at 18:59 20-Sep-2002

Within the tgz file, after we uncompress the file, there are two C files inside – the .unlock.c and .update.c files. These two files were created at 21:28 20-Sep-2002 and 05:57 20-Sep-2002 respectively.

From the comments in the two files, we identified that there were two names in .unlock.c file – contem@efnet and aion@ukr.net. It was mentioned that the code on .unlock file was modified by aion and .update.c file was created by aion.

In a C program, the first argument in a program is denoted by argv[0] which means the file name location. From the .update.c file, argv[0] was found to be string copied from PSNAME which is defined in #define definition as
“update   “. While the .unlock file name was defined as “httpd “

According to the .unlock source code, the compiled worm will copy itself to the infected host by sending through the Uuencode written in the .unlock.c  content of the worm to /tmp/.unlock.uu.

 

From these files, it was found that when the virus identified the target, it will decode itself back. The uudecoded files include two C files (.unlock.c and .update.c). It will then be compiled further to httpd and update files located in /tmp

 

The following files would be created first in the infected host:

·         Total files created in the infested host:

a.   /tmp/.unlock.uu

b.   /tmp/.unlock

c.   /tmp/.unlock.c

d.   /tmp/.update.c

e.   /tmp/httpd

f.      /tmp/update

·         Afterwards, other files will be requested to perform further actions. While the following files will be removed:

a.   /tmp/.unlock.uu

b.   /tmp/.unlock.c

c.   /tmp/.update.c

d.   /tmp/httpd

e.   /tmp/update

·         Remains after execute:

/tmp/.unlock

 

Based on the #define SCANPORT information, it is found that the port scanned by the worm is on port 80

According to the written code, we confirmed that the worm’s target is Linux based Apache Server with SSL support. It will attack at the target machines via the SSL Buffer overflow vulnerability.

When the worm successfully attacked the target, it will collect the identifier of the machine, IP address together with the host name of the machine. This information will be sent to the author of this program aion@ukr.net” via mail server freemail.ukr.net.

According to the code, it is determined that the worm will communicate with other worms located in other infected machines via UDP port 80.

The worm will further affect the network by flooding the network with one of the following methods

·        UDP flood

·        TCP flood

·        Ipv6 TCP flood

1.      DNS flood

By further identifying the information on the program, it is found that the backdoor created by the worm will be located on port TCP 1052. It will interact with the client if password is entered “aion1981”.

Once executed, the port will listen to request for 10 seconds in every 5 minutes. If no request has been given to the system port, the opened backdoor ports will be closed to reduce the chance of being detected.

This is identified in the SLEEPTIME variable. It means that the sleep time of the backdoor would be controlling the timeout of the backdoor port. From the UPTIME counter, it is opposite counter which holds the time that backdoor is listening to the backdoor port.

Answers to the questions

1.      The .unlock file is a standard .tgz file. It is created at 18:59 20-Sep-2002

2.      The name of the author is called aion (with email address “aion@ukr.net”). As we can look the time stamp of each file in the tar file. The source files “.unlock.c”, was created at 21:28 20-Sep2002 and “.update.c” was created at 05:57 20-Sep 2002. The .unlock.c didn’t compatible with the time stamp of the .tgz file as the .unlock.c is newer than the .tgz. One possible case for this is that the time zone of the hacker and the victim doesn’t match. In POSIX file system, the timestamp is calculated from the difference of millisecond to the base line time (1st Jan, 1970, GMT+0). It is likely that the .unlock.c file may be compiled and created from different machines.

3.      From the program, it is found that PSNAME symbolized the initiation program name. The process of the worm will be  “update   “and “httpd “ (defined in the definition “PSNAME”)

4.      From the identified attack methodThe worm copy itself to the infested host by sending UUEncoded text of itself to /tmp/.unlock.uu. After that it decode the file by using command “uudecode -o /tmp/.unlock /tmp/.unlock.uu”. Then it will untar the decoded file which will extract the two source files:

a.   .unlock.c

b.   .update.c

With these two source files, the worm will try to compile it and generates two executables

a.   /tmp/httpd

b.   /tmp/update

Total files created in the infected host:

a.   /tmp/.unlock.uu

b.   /tmp/.unlock

c.   /tmp/.unlock.c

d.   /tmp/.update.c

e.   /tmp/httpd

f.     /tmp/update

Removed:

/tmp/.unlock.uu

/tmp/.unlock.c

/tmp/.update.c

/tmp/httpd

/tmp/update

Remains after execute:

/tmp/.unlock

 

5.      Port 80 is scanned by the worm (It is defined by the #define definition “SCANPORT”)

6.      The worm tries to exploit the apache SSL buffer overflow exploit. Architecture, Apache version, <offset>, do not need to be mentioned. The following shows the version of the

               

{"Gentoo", "", 0x08086c34},

                {"Debian", "1.3.26", 0x080863cc},

                {"Red-Hat", "1.3.6", 0x080707ec},

                {"Red-Hat", "1.3.9", 0x0808ccc4},

                {"Red-Hat", "1.3.12", 0x0808f614},

                {"Red-Hat", "1.3.12", 0x0809251c},

                {"Red-Hat", "1.3.19", 0x0809af8c},

                {"Red-Hat", "1.3.20", 0x080994d4},

                {"Red-Hat", "1.3.26", 0x08161c14},

                {"Red-Hat", "1.3.23", 0x0808528c},

                {"Red-Hat", "1.3.22", 0x0808400c},

                {"SuSE", "1.3.12", 0x0809f54c},

                {"SuSE", "1.3.17", 0x08099984},

                {"SuSE", "1.3.19", 0x08099ec8},

                {"SuSE", "1.3.20", 0x08099da8},

                {"SuSE", "1.3.23", 0x08086168},

                {"SuSE", "1.3.23", 0x080861c8},

                {"Mandrake", "1.3.14", 0x0809d6c4},

                {"Mandrake", "1.3.19", 0x0809ea98},

                {"Mandrake", "1.3.20", 0x0809e97c},

                {"Mandrake", "1.3.23", 0x08086580},

                {"Slackware", "1.3.26", 0x083d37fc},

                {"Slackware", "1.3.26",0x080b2100}

 

7.      Three pieces of info of the infected host will be send to the worm author:

a.      identifier for the current host

b.      hostname

c.      local machine IP

 

The worm will send mail to “aion@ukr.net” via mail server “freemail.ukr.net”

 

8.      The worm communication with other infected machines using UDP port 80.

9.      For network bandwidth flooding attack, the worm can perform one of the following once command is received:

a.      UDP flood

b.      TCP flood

c.      Ipv6 TCP flood

d.      DNS flood

10.  It is a backdoor program that will bind a shell to port 1052 and it is protected with password “aion1981”. Once executed, it will listen to the port for 10 seconds for every 5 minutes and then shutdown the port in order to reduce the chance of being detected.

11.  Bonus: The SLEEPTIME variable is used as counter for the sleep time of the backdoor. The main purpose to sleep is to suspend the backdoor from listening to the port. Doing so can reduce the chance of being detected by listing open port when using “netstat”. The UPTIME counter is used to limit the time that the backdoor is listening to the backdoor port.