This document is an analysis performed for the Honeynet Projects Scan of the Month for November 2002.

Which is the type of the .unlock file? When was it generated?

I have downloaded the .unlock file. It matches his MD5 checksum a03b5be9264651ab30f2223592befb42. Using the file command, we learn that .unlock is gzip compressed data, deflated, last modified: Fri Sep 20 12:59:04 2002, os: Unix. In fact, it's a .tar.gz generated Fri Sep 20 12:59:04 2002.

tar tvzf .unlock
-rw-r--r-- root/wheel    70981 2002-09-20 15:28:11 .unlock.c
-rw-r--r-- root/wheel     2792 2002-09-19 23:57:48 .update.c

Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?

.unlock.c is the worm source code. From the comment inside the code source, it has been created by contem@efnet with some modification by aion. Its version is 20092002, September 20 2002. This date is compatible with the date from question 1. It's the Modap worm 020916-Analysis-Modap.pdf This worm is based on the scalper worm.

Which process name is used by the worm when it is running?

The process name is httpd . The name is overwritten by the worm, it's a very common trick.

#define PSNAME		"httpd "
strcpy(argv[0],PSNAME); 

In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?

The sh() function creates a /tmp/.unlock.uu file with an uuencoded copy of /tmp/.unlock. /tmp/.unlock is uudecoded as /tmp/.unlock. /tmp/.unlock is untar-gzipped. The two C source files are compiled as /tmp/httpd and /tmp/update. The files are runs. After that, /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c /tmp/httpd /tmp/update are deleted. The only remaining file on the infected machine is /tmp/.unlock. This file is used by the worm to propagate itself.

Which port is scanned by the worm?

The worm scan the TCP port 80. If it find an opened http port, it will call the exploit() function.

#define SCANPORT	80
atcp_sync_connect(&clients[n],srv,SCANPORT);

Which vulnerability the worm tries to exploit? In which architectures?

The worm checks if the server is an Apache.

void exploit(char *ip) {
	int port = 443;
	int i;
	int arch=-1;
	int N = 20;
	ssl_conn* ssl1;
	ssl_conn* ssl2;
	char *a;

	alarm(3600);
	if ((a=GetAddress(ip)) == NULL) exit(0);
	if (strncmp(a,"Apache",6)) exit(0);

It will try to connect to TCP 443 port, the HTTPS port. The exploit has hardcoded offset for different Apache version for Gentoo, Debian, RedHat, SuSE, Mandrake and Slackware, 1.3.6 for the oldest and 1.3.26 for the newest. It tries to exploit an Apache OpenSSL handshake exploit,

	*(int*)&overwrite_next_chunk[156] = cipher;
	*(int*)&overwrite_next_chunk[192] = architectures[arch].func_addr - 12;
	*(int*)&overwrite_next_chunk[196] = ciphers + 16;

	send_client_hello(ssl2);
	get_server_hello(ssl2);

	send_client_master_key(ssl2, overwrite_next_chunk, sizeof(overwrite_next_chunk)-1);

It exploits the OpenSSLv2 malformed client key remote buffer overflow BID 5363.

What kind of information is sent by the worm by email? To which account?

When the worm is run, it send a mail to aion@ukr.net (mailme() function) with the hostid, the hostname of the newly infected server and the ip of the host attacker.

Which port (and protocol) is used by the worm to communicate to other infected machines?

The worm listens on UDP port 4156. It uses its own P2P protocol with a week encryption mechanism. One of its function is to scan the computer file for email address (function StartScan()).

Name 3 functionalities built in the worm to attack other networks.