Honeynet Project Scan of the Month 25


Will Dyke


This scan of the month challenge requires source code analysis of a worm captured by Honeynet BR. As this challenge requires only source analysis, I used Cygwin running under Windows, rather than a complete GNU/Linux distribution.

After downloading the .unlock file, I checked the two check sums provided

$ md5sum .unlock
a03b5be9264651ab30f2223592befb42 *.unlock

$ sha1sum .unlock
4b018cdfdbcf71ddaa789e8ecc9ed7700660021a *.unlock

They both matched.

I refer to line numbers a lot in this document. I generated two files, unlock_nl.c and update_nl.c, line numbered versions of .unlock.c and .update.c respectively, to help the casual reader, using the GNU nl command

$ nl -ba .unlock.c > unlock_nl.c
$ nl -ba .update.c > update_nl.c

1. Which is the type of the .unlock file? When was it generated?

A first use of the file command showed that .unlock was a gzip file, generated September 20 2002.

$ file .unlock
.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 11:59:04 2002, os: Unix

Unzipping it, and using file again, the uncompressed file was shown to be a GNU tar archive

$ gzip -dc unlock.gz > unlock

$ file unlock
unlock: GNU tar archive

A quick check with tar prior to decompression revealed two files, dated at a similar time to the archive (although .unlock.c appears to have been created after the gzip file, for some reason). These were then extracted.

$ tar tvf unlock
-rw-r--r-- root/wheel    70981 2002-09-20 14:28:11 .unlock.c
-rw-r--r-- root/wheel     2792 2002-09-19 22:57:48 .update.c

$ tar xf unlock

2. Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?

The comments at the head of .unlock.c show that the worm was mostly written by contem@efnet, with modifications by [email protected], who also appears to have written .update.c

The worm appears to have been created at 14:28 on 20 September 2002. This is not compatible with the date of the last modification of the gzip file, which was apparently created earlier at 11.59. For some reason, the time stamp of one or both of the files must have been altered at some point.

3. Which process name is used by the worm when it is running?

The worm uses httpd as process name:

    78  #define PSNAME          "httpd "
  1805          strcpy(argv[0],PSNAME);

4. In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?

The following answer is deduced from lines 1416-1428.

The worm copies itself as /tmp/.unlock.uu, created in uuencoded format from /tmp/unlock. Once copied, the file is decoded, as /tmp/.unlock. The /tmp/.unlock is then extracted using tar -xzf, to create the .unlock.c and .update.c files. These are compiled into http and update respectively, and both are started. All of these files are then removed, with the exception of /tmp/.unlock, which will be used for the next propagation.

5. Which port is scanned by the worm?

Scans are performed on port 80 (SCANPORT) in lines 1908-1937, looking for a listening port. If the port is listening, the exploit function is called, which checks whether an Apache server is found on port 80, and whether the Apache version and operating systems match one of those in the list below - if so, the Apache SSL exploit is performed.

6. Which vulnerability the worm tries to exploit? In which architectures?

Exploits Apache SSL vulnerability (see references), on the following (taken from the architectures struct in lines 1241-1269):

OSApache versions
Red-Hat1.3.6, 1.3.9, 1.3.12, 1.3.19, 1.3.20, 1.3.22, 1.3.23, 1.3.26
SuSE1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23
Mandrake1.3.14, 1.3.19, 1.3.20, 1.3.23

7. What kind of information is sent by the worm by email? To which account?

The mailme function (lines 94-130 of .update.c) creates a sendmail session with freemail.ukr.net containing the following:

  helo test
  mail from: [email protected]
  rcpt to: [email protected]
   hostid:   <host ip>
   hostname: <hostname>
   att_from: <controller machine>

Translated, this sends an email to [email protected], purportedly from [email protected], giving the ip address and hostname of the computer, as well as the machine with which it is communicating (the 1st argument (argv[1]) given to the executable).

8. Which port (and protocol) is used by the worm to communicate to other infected machines?

The worm communicates on port 4156 (PORT) over UDP - this can be seen in the calls to audp_listen, audp_send, audp_relay, audp_recv, audp_setup and audp_close functions from main, combined with an examination of those functions (just to check they actually do what their names suggest).

A brief summary of the audp_* functions are detailed below:

functionDescriptionLine numbers
audp_listenCreates a udp socket inst listening on port589-613
audp_setupCreates a udp socket inst connected to host on port615-641
audp_sendSends buffer buf of length len through socket inst662-681
audp_recvRecieves buffer into buf of length len from client through socket inst693-712
audp_relayClones parent socket, connects to host on port643-660
audp_closeCloses socket inst714-724

9. Name 3 functionalities built in the worm to attack other networks.

Three attack methods are TCP flood (lines 2246-2277), TCP flood over IPv6 (2279-2306) and DNS flood (2308-2385). Also included is a UDP flood (2205-2245).

10. What is the purpose of the .update.c program? Which port does it use?

.update.c compiles to an executable that runs as update, listens on port 1052 for a connection. If a connection is made, it checks the password against aion1981, and if the password matches, provides a shell.

Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

UPTIME is used in the for loop so that the program will listen for 10 seconds at a time, before sleeping for SLEEPTIME (5 minutes)


While researching the Apache SSL vulnerabilities, it became clear that this worm was the linux.slapper worm. Two of the many references I found are available at:

Valid XHTML 1.0!