[Dshield] Apache/FreeBSD worm: armchair analysis by detective-wannabe

Neil Richardson neilr at ieee.org
Fri Jun 28 21:43:26 GMT 2002

    Upon seeing the messages about the new Apache/FreeBSD worm, I decided 
to try and help by throwing another pair of eyeballs at the problem (and 
start learning how the process works at the same time).  For those who are 
required to analyze it but haven't started yet, I hope my observations help 
pinpoint items to look at; for those who know how but aren't required to, 
I'd appreciate any feedback you could give me; and for those of you who 
don't know how and aren't interested, my apologies for wasting your time.  :-]

    My "analysis" was done by using the cygwin port of objdump on the .a 
file with the following parameters: "-a -f -p -g -x -S -s".  Output was 
sent to file and loaded into Nano (cygwin port of Pico).  All lines numbers 
thus refer to the line number as specified by Nano.

    Line 2879 ("Contents of section .rodata:") seems to begin the most 
informative section, as it seems to contain the text of the HTTP requests 
(before the attack code) and the commands to create the .a file 
(specifically, line 2956).

    Curiously, I also see what seems to contain a string to talk to an SMTP 
server and report a return-path as being in the AOL.com domain (line 2967 
and 2977).  Later there's a line that seems to indicate an analysis of the 
emails (line 3041).

    Line 9187 seems to indicate the beginning of a function called 
SendMail.  If that interpretation of the syntax is correct, then line 7938 
is the #1 thing to look at: that's the line that function "exploit" begins on.

    Line 2988 appears to contain a date code: 
"24-06-2002".  Release/compile date?

    Line 2938 looks like the return strings it's set to recognize:
       "FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)"
       "FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)"

    If I'm correct about everything so far, and the plaintext I've seen 
aren't just part of the standard system libraries, what do we 
have?  Something about Apache v1.3.22-24 and v1.3.20 makes it vulnerable to 
attack.  (Based on the packet capture at the previously-mentioned URL, my 
hunch is it's a "buffer-overflow" attack...just don't ask if I could 
recognize any other kind of exploit.  ;-)

    The worm sends email to someone it has discovered (based on the use of 
a string-variable in the SMTP text), using a variable-text subject line, 
and makes it look like it's coming from [variable-text]@aol.com.  It has 
code to do HTTP 1.0 or 1.1 requests, but does the POST as 1.1.  It also 
seems to do something with cookies, though I don't know if it's generating, 
making, or simply forging, and I can't think of why it'd bother.

    That's all I could get with plaintext and uneducated guesses...how am I 
doing so far?

Thank you for your time,

-Neil R.

Supreme Lord High Commander and Keeper of the Holy Potato
Random thought for the day:

    To really screw up it takes a computer...usually

More information about the list mailing list