Scan of the Month Answers
- The .unlock file is a gzip-compressed tar archive. According to
the gzip timestamp, it was created on September 20 2002 at 03:59:04.
It contains two C language source code files.
- According to the comments in the source code, the worm was originally
created by contem@efnet, and later modified by firstname.lastname@example.org. The VERSION
macro defined in the file .unlock.c has the value 20092002, which is
apparently another reference to the date of creation of the worm,
September 20 2002. The timestamp on the source code file is
September 20 2002 06:28:11, which is after the time of creation of the
compressed archive. This does not make sense; one or both timestamps
must be in error.
- The worm sets its process name to "httpd" when it is running, in an
attempt to keep the administrator of the infected system from becoming
- When the worm succeeds in exploiting a vulnerable machine, it sends
the .unlock file to the target encoded using the same method as
uuencode. The following files are created in /tmp during the
Once the infection is complete and the newly created httpd and update
daemons have been started, all files are deleted except for .unlock,
which is kept so it can be copied to newly infected machines. The nature of
that file is obscured by overwriting its first few bytes with nulls.
- The worm scans port 80 (http) looking for web servers.
- When a server is found, the worm attempts to connect to it on port 443
(https) and exploit a bug in the handling of the client key value in version
2 of the SSL protocol
(BugTraq ID 5363).
The exploit is designed to work against the Apache web server on Intel
x86-based servers running Debian, Gentoo, Mandrake, Red-Hat, Slackware,
or SuSE Linux. The BugTraq database notes that a worm has been discovered
in the wild which uses this vulnerability to propagate and includes
peer-to-peer and distributed denial-of-service capabilities; perhaps this
is that worm.
- After infecting a host, the worm sends e-mail to email@example.com containing
the following information:
- Host ID of the infected machine, as returned by gethostid(1).
This value is usually based on the host's IP address.
- Host name of the infected machine, as returned by
- IP address of the host that infected this one.
- The worm communicates with other infected machines on UDP port 4156.
- A number of denial-of-service attacks are built into the worm. It can:
- Flood a given address with UDP packets addressed to a particular port,
or to random ports.
- Bombard an address with many TCP connection requests (SYN flood).
- Send a large number of DNS queries to a name server.
- The .update.c program is a back door that gives root access
to the infected machine. It listens to TCP port 1052. The back door is
protected by a simple password which is hardcoded into the program.
- In order to avoid showing up in netstat listings of open
ports, the back door is not kept open at all times. It listens for
new connections for UPTIME seconds, then closes the port and
sleeps for SLEEPTIME seconds. Then it reopens the port and
repeats the process.