Honeynet Scan of the Month

#25 -- November 2002
Michael Ford
1. Which is the type of the .unlock file? When was it generated? 

% ls -l .unlock
-rw-rw----   1 mike     src         17973 Sep 22 12:06 .unlock
% tar xvfz .unlock 

The .unlock file is a gzip'd tar file, and it was generated on
September 22, 2002 at 16:06z.

2. Based on the source code, who is the author of this worm? 
   When it was created? Is it compatible with the date from question 1? 

% ls -la .*.c
-rw-r-----   1 mike     src         70981 Sep 20 09:28 .unlock.c
-rw-r-----   1 mike     src          2792 Sep 19 17:57 .update.c

The worm consists of two programs, called httpd and update, generated
from the .unlock.c and .update.c files contained in the .unlock file,
respectively.  The author listed in .unlock.c is contem@efnet, with
modifications by aion@ukr.net, and the author of .update.c is listed
as aion@ukr.net, also.  Since email from the worm is sent to
aion@ukr.net, I would assume that aion@ukr.net is the author of the
worm, using a tool created by contem@efnet.

We can't tell when the two files were created, but the file
modifications times are September 19th, 2002 at 21:57z and September
20th, 2002 at 13:28z for .update.c and .unlock.c, respectively.  Based
on those modification times, I assume the worm was created on
September 20th, 2002.  The #define of VERSION in .unlock.c to 20092002
confirms this date.

This date is two days before the date of September 22, 2002 in
question one, so it is compatible.

3. Which process name is used by the worm when it is running? 

The worm runs as two processes, called httpd and update.  httpd is started
as "/tmp/httpd", but after startup, it changes its name in the ps list to
"httpd ".  update is started as "/tmp/update", but after startup, it changes
its name in the ps list to "update   ".

4. In wich format the worm copies itself to the new infected machine? 
   Which files are created in the whole process? After the worm executes
   itself, wich files remain on the infected machine? 

The worm copies itself as a uuencoded file via a Bourne shell "here page".
The following commands are run creating certain files:

  cat > /tmp/.unlock.uu << __eof__;
This uses the here page to create "/tmp/.unlock.uu", which is the
uuencoded file which was just transfered.

  uudecode -o /tmp/.unlock /tmp/.unlock.uu;
This decodes the uuencode file and creates "/tmp/.unlock".  

  tar xzf /tmp/.unlock -C /tmp/;
This extracts "/tmp/.update.c" and "/tmp/.unlock.c" from the gzip'd tar

  gcc -o /tmp/httpd  /tmp/.unlock.c -lcrypto;
This compiles ".unlock.c" and creates "/tmp/httpd".

  gcc -o /tmp/update /tmp/.update.c;
This compiles ".update.c" and creates "/tmp/update".

The complete list of files created, all in /tmp, are:


After the worm executes itself on the newly infected host, it removes
all of the previously mentioned files except for ".unlock".  The ".unlock"
file is then disguised by overwriting the gzip magic in the first three
bytes of the file with three bytes containing zero.

5. Which port is scanned by the worm? 

The worm uses multiple ports.  It scans TCP port 80, the HTTPD service, 
to find new hosts to infect.  It reports email addresses found via UDP
port 10100.  

6. Which vulnerability the worm tries to exploit? In which architectures? 

The work tries to exploit a buffer overflow in the Apache web server on
various distributions of Linux on the x86 platform.

7. What kind of information is sent by the worm by email? To which account? 

The worm sends the hostid of the infected host, the hostname of the
infected host, and the ip address of the attacking host back to
"aion@ukr.net" with a from address of "test@microsoft.com".

8. Which port (and protocol) is used by the worm to communicate to other
   infected machines? 

The worm uses UDP port 4156 to communicate between the infected machines.

9. Name 3 functionalities built in the worm to attack other networks. 

1) The worm exploits a vulnerability in the Apache web server and spreads
   itself via that mechanism.
2) The worm can scan all regular files under / except in /proc, /dev, and
   /bin searching for email addresses and then sends those back to a 
   specified address.
3) The worm is capable of launching distributed denial-of-service (DDOS)
   attacks on a specified host using any of a number of different protocols.
4) The worm is capable of running commands locally on specified hosts.

10. What is the purpose of the .update.c program? Which port does it use? 

The .update.c program (compiled to "update") listens on TCP port 1052 and
presents an interactive Bourne shell to anyone connecting to that port on
an infected host.

Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in 
                the .update.c program?

The .update.c program will listen to port 1052 for UPTIME (10) seconds
for a connect.  If none is received, it closes the port and sleeps for
SLEEPTIME (300) seconds, before opening the port again.