From jason@fcom.net Sat Mar 17 20:01:46 2001 Date: Mon, 05 Mar 2001 15:16:58 -0500 From: Jason Fairfax To: project@honeynet.org Subject: Scan of the month [ Part 2: "Attached Text" ] SCAN 13 Q1. What is the blackhat attempting to do with his command line syntax? A1. Scan different subnets Q2. What does the tool accomplish? A2. Scans for vulnerable RPC STATD processes running on Redhat 6.0/6.1/6.2, exploits if found and then downloads and installs a root kit xzibit.tar.gz luckgo line 50 "Program launched in background,it will SCAN,GET ROOT and INSTALL a rOOtKiT for U." Q3. How does the tool work? A3. Rudamentry shell (/bin/sh) script wraps a [modified] scanner binary and a [modified] exploit binary. The rootkit is based on lamerk Q4. Is this tool a worm, or would you classify it as something else? A4. No, not a worm. Hybrid, or 'Trybrid' scanner->exploit->rootkit Q5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? A5. No, not origional. luckstadx.c is a modified statdx.c by ron1n, the scanner I think is a modified pscan.c Bonus Question: What information can you obtain about who is using or created the tool? - luckstatdx.c line 189: "Aici cred ca trebuie un exit." - possibly Romainian - luckstatd.c line 187: " " character indicates possible windows editor..?? - luckstatdx binary: Contains a different source URL for the rootkit, neamtu.lsa.ro/rg.tgz - luckgo line 28: They, "BeCyS, ReSpEkT and coSes", hang out on IRC (doh) - They like ANSI colour codez, which is odd as it's long out of [1;36m phasion [1;38m - Their main goal with this 'tool' seems to be root compromise of systems at random and at will without any thought or care what the system is being used for. rooting boxes for future use. DDOS, distributed processing etc. - BeCyS is almost certainly pronounced 'be-ch-is' ala 'biash' ala 'biatchs' ala 'bitches' ... - becys@yahoo.com is telephone number (Romainia) 093837243 ... give him a call, say hi from us ]:. http://www.rdsnet.ro/rds-bin/publicitate_detaliu?anunttype_id=1 PS : Lance/Marty outstanding BoF at SANS New Orleans by the way .... PPS: My entry is a bit rushed, only had 30min, apologies. Didn't have time for a write up ... PPPS: Main thing to note from all of this though is the dangerous slant [back] towards mad ANSI skillz ]:.