We decided to release this document due to the complexity of the recently released worm that exploits the Apache vulnerability. We choose to call the worm "APC" (a string given by the worm itself next to an error message.
The worm itself can easily be altered by editing the source code that appeared on Bugtraq to suite any recently discovered exploit. The worm itself may be considered the first of its kind considering speed of infection and uniqueness of deployment. The worm creates a distributed network of interconnected clients that virtually can perform anything with slight modifications.
Detection is a bit tricky if you are a systems administrator on a large network. The worm scans random IP's on port 80 that makes the detection of scanning more difficult. The worm does not infect a local network that prevents a sysadmin from detecting large amounts of traffic on the internal network. We have analyzed the code supplied by Bugtraq and supplied you with comments on the functions declared. This gives a bit of an inside view of the worm in question.
Credit:
The information has been provided by Jonathan James.
Detection:
There are many ways to detect the worm. Check your /tmp/ directory for hidden files especially ".a", ".uua". Use "netstat" to examine UDP/TCP connections. Have a look at traffic that uses UDP port 2001 and TCP port 10100.
Theories of origin:
The programmer of the APC worm seems to have in depth knowledge of surrounding OS functionality, TCP/IP and advanced C development. The programmer is probably an American resident due to the fact that AOL (http://www.aol.com) was hard coded as the predefined e-mail host when sending spoofed e-mail messages (Line 1347 and Line 1349 in apache-worm.c. The worm also uses the American date-format (06-24-2002). As an addition, the worm uses a DNS server hosted by AT&T in St. Louis. The error messages are also supplied in good English. There are some Italian comments in the source code supplied that could imply an Italian influence of some way, but not necessarily.
Global Functions and Variables
abind - Uses pointer to structure "ainst" as first parameter, IP as second, port as third. Binds a socket.
addseq - Adds a new long value to the LINKS list, adds the long parameter to the beginning of the list.
addserver - Adds a servervalue (long) to the list and dynamically increases the links variable.
AddToList - Adds a new uppercase string value to the linklist.
aerror - Returns an error message to the socket.
aresolve - Resolves an IP to it's corresponding hostname.
atcp_accept - Accepts an incoming socket. (TCP)
atcp_close - Close a socketinstance. (TCP)
atcp_connect - Connect to a specified host on a specified port. (TCP)
atcp_recv - Receive Data from an instance of a socket. (TCP)
atcp_send - Write Data to an instance of a socket. (TCP)
atcp_sendmsg - Not used? Sends a message using audp_send together with a specified string. (UDP)
atcp_sync_check - Check whether clients are ALIVE?(TCP)
atcp_sync_connect - Synchronous connect to a specified host on a specified port. (TCP)
audp_close - Close an Instance of a socket (UDP)
audp_listen - Listen for incoming packets on a specified port . (UDP)
audp_recv - Receive Data of an Instance of a socket. (UDP)
audp_send - Send Data to an Instance of a socket (UDP)
audp_sendmsg - Same as atcp_sendmsg. Not used? Sends a message using audp_send together with a specified string. (UDP)
audp_setup - Setup a socket connection using UDP (UDP)
await - Return status of a data stream connection. Read, Write, etc.
broadcast - Broadcast to all links (UDP port 2001).
broute - Broadcast route? Record route? Routing table of broadcast messages?
classes - Variable containing IP-classes from 3 to 239.
cleanup - Cleanup a char variable replacing \n \r or ' ' with 0 (null terminated)
clients - Defines an instance of the structure ainst named clients with 256 instances.
conv - Converts the server address from unsigned long to char
_decrypt - Decrypts char Data. Used in the main function
encode - Uuencode /tmp/.a and send it over the socket!
_encrypt - Encrypt char Data. Used in the main function
exploit - The main exploit function. Tries to exploit a given IP. Sends the shellcode that gives the worm a shell. The worm then proceeds, deleting /tmp/.a and writing the Uuencoded worm to a new file called /tmp/.uua. Then the exploit decodes the /tmp/.uua file using the /usr/bin/uudecode binary outputting the data to /tmp/.a, making it executable, running it with the localip as an argument and then exiting.
GetAddress - Get the Webserver software name of a given IP.
GetServer - Query 12.127.17.71 (dns-rs1.bgtmo.ip.att.net, hosted by AT&T - St. Louis)
grand - Return a "random" long value
gsrand - Sets the sseed int to the unsigned long value supplied as an argument.
isgood - Check whether a character is alphabetic, numerical or @ . ^ - _
islisten - Checks whether a character is alphabetic, numerical or "."
isreal - Checks to see if an IP is an internally(Intranet) used one.
linklist - The linklist, a structure.
links - An unsigned long pointer.
Log - Logs entries to /bin/.log. Not used?
mailservers - Struct containing mailservers
main - The main function! Starts up the UDP server (port 2001), Contacts clients, and "I'm alive!". Scans for new victims. DNS flooding functions etc.
mfork - Creates a new thread of process.
myip - Variable which contains the IP.
nas - Does Nothing.
newseq - Redefines the seq variable. Random..
numlinks - Unsigned Long containing number of links.
numpids - Unsigned Long containing number of PIDs
pids - Unsigned int, Number of PIDs ????
relay - Relay UDP connections to other clients (port 2001, UDP)
routes - Route table containing links
ScanFile - Scans a file for e-mail addresses, rules out addresses containing ".gov", ".hlp", webmaster@mydomain.com, single "." And single "@".
sendch - Filter ` \\ and $ from a single char buf and replace it with \\ and 0
senderror - Send error
SendMail - Sends userdefined e-mail using SMTP.
sequence - Unsigned long containing 64 elements.
shellcode - Contains shellcode that spawns a shell.
sseed - Unsigned int used in crypt functions
StartScan - Starts scanning files on the system, excludes "/dev", "/proc" and "/bin"
syncm - Syns lists with other clients?
targets - Contains overflow offsets for FreeBSD.
udpclient - Instance of the ainst structure.
udpserver - Instance of the ainst structure.
useseq - Use the sequence.
victim - Alias targets
ViewWebsite - Views a website.
writem - Writes Data to a socket.
