Members from the Honeynet.BR team
have captured a new worm from the wild. The file (.unlock), was
used by the worm to infect the honeypot. Your mission is to analyze the captured
file in order to answer the questions below. Be sure you review the submission
rules at the SotM challenge page before submitting your
Download the Binary
Note: The MD5 and SHA1
checksums are shown below.
MD5 (.unlock) = a03b5be9264651ab30f2223592befb42
SHA1 (.unlock) = 4b018cdfdbcf71ddaa789e8ecc9ed7700660021a
Which is the type of the .unlock file? When was it
- Based on the source code, who is the author of this worm? When
it was created? Is it compatible with the date from question 1?
- Which process name is used by the worm when it is running?
- In wich format the worm copies itself to the new infected
machine? Which files are created in the whole process? After
the worm executes itself, wich files remain on the infected machine?
- Which port is scanned by the worm?
- Which vulnerability the worm tries to exploit? In which architectures?
- What kind of information is sent by the worm by email? To
- Which port (and protocol) is used by the worm to communicate to
other infected machines?
- Name 3 functionalities built in the worm to attack
- What is the purpose of the .update.c program? Which
port does it use?
- Bonus Question: What is the purpose of the SLEEPTIME and
UPTIME values in the .update.c program?
This months challenge questions, judging and team writeup are done by
the Honeynet.BR team.
Writeup from Cristine Hoepers and Klaus Steding-Jessen from The
Writeup from the Security Community
This month we received 41 submissions. The top 30 submissions are
listed here. We would like to thank the people who have submitted
their writeups for the time and effort dedicated to this challenge.
Top 5 Entries:
Remaining Top 10 Entries