[Dshield] Apache/FreeBSD worm: armchair analysis by detective-wannabe
neilr at ieee.org
Fri Jun 28 21:43:26 GMT 2002
Upon seeing the messages about the new Apache/FreeBSD worm, I decided
to try and help by throwing another pair of eyeballs at the problem (and
start learning how the process works at the same time). For those who are
required to analyze it but haven't started yet, I hope my observations help
pinpoint items to look at; for those who know how but aren't required to,
I'd appreciate any feedback you could give me; and for those of you who
don't know how and aren't interested, my apologies for wasting your time. :-]
My "analysis" was done by using the cygwin port of objdump on the .a
file with the following parameters: "-a -f -p -g -x -S -s". Output was
sent to file and loaded into Nano (cygwin port of Pico). All lines numbers
thus refer to the line number as specified by Nano.
Line 2879 ("Contents of section .rodata:") seems to begin the most
informative section, as it seems to contain the text of the HTTP requests
(before the attack code) and the commands to create the .a file
(specifically, line 2956).
Curiously, I also see what seems to contain a string to talk to an SMTP
server and report a return-path as being in the AOL.com domain (line 2967
and 2977). Later there's a line that seems to indicate an analysis of the
emails (line 3041).
Line 9187 seems to indicate the beginning of a function called
SendMail. If that interpretation of the syntax is correct, then line 7938
is the #1 thing to look at: that's the line that function "exploit" begins on.
Line 2988 appears to contain a date code:
"24-06-2002". Release/compile date?
Line 2938 looks like the return strings it's set to recognize:
"FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)"
"FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)"
If I'm correct about everything so far, and the plaintext I've seen
aren't just part of the standard system libraries, what do we
have? Something about Apache v1.3.22-24 and v1.3.20 makes it vulnerable to
attack. (Based on the packet capture at the previously-mentioned URL, my
hunch is it's a "buffer-overflow" attack...just don't ask if I could
recognize any other kind of exploit. ;-)
The worm sends email to someone it has discovered (based on the use of
a string-variable in the SMTP text), using a variable-text subject line,
and makes it look like it's coming from [variable-text]@aol.com. It has
code to do HTTP 1.0 or 1.1 requests, but does the POST as 1.1. It also
seems to do something with cookies, though I don't know if it's generating,
making, or simply forging, and I can't think of why it'd bother.
That's all I could get with plaintext and uneducated guesses...how am I
doing so far?
Thank you for your time,
Supreme Lord High Commander and Keeper of the Holy Potato
Random thought for the day:
To really screw up it takes a computer...usually
More information about the list