Prepared by Chan Chun Fai, Vincent Ip and Ricci Ieong
§ Md5sum
After downloaded the “.unlock” from the honeypot challenge web page, we immediately verified the MD5 checksum of the “.unlock” against the value in honeynet web page..
C:\>md5sum .unlock
a03b5be9264651ab30f2223592befb42 *.unlock
Afterwards, we performed the file type analysis. >From that results, we confirmed that the “.unlock” file is a .tgz file.
By looking directly into the Modified Access and Created time, we confirmed that the file was created at 18:59 20-Sep-2002
Within the tgz file, after we uncompress the file, there are two C files inside – the .unlock.c and .update.c files. These two files were created at 21:28 20-Sep-2002 and 05:57 20-Sep-2002 respectively.
From the comments in the two files, we identified that there were two names in .unlock.c file – contem@efnet and aion@ukr.net. It was mentioned that the code on .unlock file was modified by aion and .update.c file was created by aion.
In a C program, the first argument in a program is denoted
by argv[0] which means the file name location. From the .update.c file, argv[0]
was found to be string copied from PSNAME which is defined in #define
definition as
“update “. While the .unlock file name
was defined as “httpd “
According to the .unlock source code, the compiled worm will copy itself to the infected host by sending through the Uuencode written in the .unlock.c content of the worm to /tmp/.unlock.uu.
From these files, it was found that when the virus identified the target, it will decode itself back. The uudecoded files include two C files (.unlock.c and .update.c). It will then be compiled further to httpd and update files located in /tmp
The following files would be created first in the infected host:
·
Total files created in the infested host:
a.
/tmp/.unlock.uu
b.
/tmp/.unlock
c.
/tmp/.unlock.c
d.
/tmp/.update.c
e.
/tmp/httpd
f. /tmp/update
·
Afterwards, other files will be requested to perform further
actions. While the following files will be removed:
a.
/tmp/.unlock.uu
b.
/tmp/.unlock.c
c.
/tmp/.update.c
d.
/tmp/httpd
e.
/tmp/update
·
Remains after execute:
/tmp/.unlock
Based on the #define SCANPORT information, it is
found that the port scanned by the worm is on port 80
According to the written code, we confirmed that
the worm’s target is Linux based Apache Server with SSL support. It will attack
at the target machines via the SSL Buffer overflow vulnerability.
When the worm successfully attacked the target, it
will collect the identifier of the machine, IP address together with the host
name of the machine. This information will be sent to the author of this
program aion@ukr.net” via mail server freemail.ukr.net.
According to the code, it is determined that the
worm will communicate with other worms located in other infected machines via
UDP port 80.
The worm will further affect the network by
flooding the network with one of the following methods
· UDP flood
· TCP flood
· Ipv6 TCP flood
1.
DNS flood
By further identifying
the information on the program, it is found that the backdoor created by the
worm will be located on port TCP 1052. It will interact with the client if
password is entered “aion1981”.
Once executed, the port
will listen to request for 10 seconds in every 5 minutes. If no request has
been given to the system port, the opened backdoor ports will be closed to
reduce the chance of being detected.
This is identified in the
SLEEPTIME variable. It means that the sleep time of the backdoor would be
controlling the timeout of the backdoor port. From the UPTIME counter, it is
opposite counter which holds the time that backdoor is listening to the
backdoor port.
1. The .unlock file is a standard .tgz file. It is created at 18:59 20-Sep-2002
2. The name of the author is called aion (with email address “aion@ukr.net”). As we can look the time stamp of each file in the tar file. The source files “.unlock.c”, was created at 21:28 20-Sep2002 and “.update.c” was created at 05:57 20-Sep 2002. The .unlock.c didn’t compatible with the time stamp of the .tgz file as the .unlock.c is newer than the .tgz. One possible case for this is that the time zone of the hacker and the victim doesn’t match. In POSIX file system, the timestamp is calculated from the difference of millisecond to the base line time (1st Jan, 1970, GMT+0). It is likely that the .unlock.c file may be compiled and created from different machines.
3. From the program, it is found that PSNAME symbolized the initiation program name. The process of the worm will be “update “and “httpd “ (defined in the definition “PSNAME”)
4. From the identified attack methodThe worm copy itself to the infested host by sending UUEncoded text of itself to /tmp/.unlock.uu. After that it decode the file by using command “uudecode -o /tmp/.unlock /tmp/.unlock.uu”. Then it will untar the decoded file which will extract the two source files:
a.
.unlock.c
b.
.update.c
With these two source files, the
worm will try to compile it and generates two executables
a.
/tmp/httpd
b.
/tmp/update
Total files created in the
infected host:
a.
/tmp/.unlock.uu
b.
/tmp/.unlock
c.
/tmp/.unlock.c
d.
/tmp/.update.c
e.
/tmp/httpd
f.
/tmp/update
Removed:
/tmp/.unlock.uu
/tmp/.unlock.c
/tmp/.update.c
/tmp/httpd
/tmp/update
Remains after execute:
/tmp/.unlock
5. Port 80 is scanned by the worm (It is defined by the #define definition “SCANPORT”)
6. The worm tries to exploit the apache SSL buffer overflow exploit. Architecture, Apache version, <offset>, do not need to be mentioned. The following shows the version of the
{"Gentoo", "", 0x08086c34},
{"Debian", "1.3.26", 0x080863cc},
{"Red-Hat", "1.3.6", 0x080707ec},
{"Red-Hat", "1.3.9", 0x0808ccc4},
{"Red-Hat", "1.3.12", 0x0808f614},
{"Red-Hat", "1.3.12", 0x0809251c},
{"Red-Hat", "1.3.19", 0x0809af8c},
{"Red-Hat", "1.3.20", 0x080994d4},
{"Red-Hat", "1.3.26", 0x08161c14},
{"Red-Hat", "1.3.23", 0x0808528c},
{"Red-Hat", "1.3.22", 0x0808400c},
{"SuSE", "1.3.12", 0x0809f54c},
{"SuSE", "1.3.17", 0x08099984},
{"SuSE", "1.3.19", 0x08099ec8},
{"SuSE", "1.3.20", 0x08099da8},
{"SuSE", "1.3.23", 0x08086168},
{"SuSE", "1.3.23", 0x080861c8},
{"Mandrake", "1.3.14", 0x0809d6c4},
{"Mandrake", "1.3.19", 0x0809ea98},
{"Mandrake", "1.3.20", 0x0809e97c},
{"Mandrake", "1.3.23", 0x08086580},
{"Slackware", "1.3.26", 0x083d37fc},
{"Slackware", "1.3.26",0x080b2100}
7.
Three pieces of info of the infected host will be send to
the worm author:
a.
identifier for the current host
b.
hostname
c.
local machine IP
The worm will send mail to
“aion@ukr.net” via mail server “freemail.ukr.net”
8.
The worm communication with other infected machines using
UDP port 80.
9.
For network bandwidth flooding attack, the worm can perform
one of the following once command is received:
a.
UDP flood
b.
TCP flood
c.
Ipv6 TCP flood
d.
DNS flood
10.
It is a backdoor program that will bind a shell to port 1052
and it is protected with password “aion1981”. Once executed, it will listen to
the port for 10 seconds for every 5 minutes and then shutdown the port in order
to reduce the chance of being detected.
11.
Bonus: The SLEEPTIME variable is used as counter for the
sleep time of the backdoor. The main purpose to sleep is to suspend the
backdoor from listening to the port. Doing so can reduce the chance of being
detected by listing open port when using “netstat”. The UPTIME counter is used
to limit the time that the backdoor is listening to the backdoor port.