-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ld.so.preload ROOT KIT: ======================= SYNOPSIS: - --------- An unusual root kit was observed on a research honeypot. This root kit uses a shared library (libshow.so) rather than trojan binaries to hide the intruders activity. It adds an entry to the /etc/ld.so.preload file (or creates it if it's absent) which causes the system to preload this shared library every time a dynamically linked application is run. This library filters out specific file, process and network information. Although not unheard of, this kit would seem to present a significant threat. The machine was a a basic pentium Lintel box running stock Redhat 7.0. It was compromised with an ftp buffer overflow. SEQUENCE OF EVENTS: - ------------------- SNORT reports a buffer overflow: - ------------------------------------------------------------------------- attacks from to method ========================================================================= 420 134.184.43.10 1.1.1.1 FTP EXPLOIT stat overflow : {TCP} 420 134.184.43.10 1.1.1.1 FTP wu-ftp file completion attempt { {TCP} 1 134.184.43.10 1.1.1.1 FTP wu-ftp file completion attempt [ {TCP} - ------------------------------------------------------------------------- An incident handler on duty runs the aide (file checksum) application and finds discrepancies in the file system (aide output edited and cleaned): - ------------------------------------------------------------------------- added:/etc/ld.so.preload added:/lib/libZ.a added:/lib/libZ.a/DISCLAIMER added:/lib/libZ.a/log added:/lib/libZ.a/log/sniff added:/lib/libZ.a/log/pid.zdsnf.eth0 added:/lib/libZ.a/tmp added:/lib/libZ.a/bin added:/lib/libZ.a/bin/rkpasswd added:/lib/libZ.a/bin/findkit added:/lib/libZ.a/bin/ldd added:/lib/libZ.a/bin/ld-linux added:/lib/libZ.a/bin/checkrk added:/lib/libZ.a/bin/bincheck added:/lib/libZ.a/bin/lcheck added:/lib/libZ.a/sbin added:/lib/libZ.a/sbin/zdcrond added:/lib/libZ.a/sbin/in.sshd added:/lib/libZ.a/sbin/sshd_chk added:/lib/libZ.a/sbin/ssh-keygen added:/lib/libZ.a/sbin/zdsnf added:/lib/libZ.a/sbin/zdsnf_chk added:/lib/libZ.a/sbin/zdsshd.pid added:/lib/libZ.a/etc added:/lib/libZ.a/etc/cron added:/lib/libZ.a/etc/file added:/lib/libZ.a/etc/host added:/lib/libZ.a/etc/log added:/lib/libZ.a/etc/proc added:/lib/libZ.a/etc/primes added:/lib/libZ.a/etc/rkp added:/lib/libZ.a/etc/sshd_config added:/lib/libZ.a/etc/ssh_host_key added:/lib/libZ.a/etc/ssh_host_key.pub added:/lib/libZ.a/etc/ssh_host_dsa_key added:/lib/libZ.a/etc/ssh_host_dsa_key.pub added:/lib/libZ.a/etc/ssh_host_rsa_key added:/lib/libZ.a/etc/ssh_host_rsa_key.pub added:/lib/libZ.a/.common added:/lib/libZ.a/.profile added:/lib/libZ.a/.cshrc added:/lib/libshow.so.0.9.5 added:/lib/libshow.so changed:/lib - ------------------------------------------------------------------------- No trojan binaries were observed in the aide output. A system copy of lsof was used in an attempt to determine if any unusual processes, network listeners or files were present. All attempts to see the files listed in the aide output failed. The aide program was rerun in an attempt to confirm the initial findings. This run produced identical results. At that point, the machine was shutdown and booted from a jump kit(2) CD and the root partition system mounted from a different mount point. From this vantage point the root kit was completely visible. ANALYSIS: - --------- The kit hides the intruder by preloading a shared library. This library, libshow.so.0.9.5, appears to prevent any dynamically linked applications using the system libraries from seeing specified files, processes and network information. The kit includes a sniffer, a cron process and an sshd back door which appears to randomize it's listening TCP port. The cron process appears to be used as a keepalive for the trojan sshd and sniffer in the event of a reboot. The installation is performed by a binary application. Contents of the root kit file 'zdlk.wav': zdlk-0.9.5/ zdlk-0.9.5/rmkit2 zdlk-0.9.5/libshow.so.0.9.5 zdlk-0.9.5/zd zdlk-0.9.5/install zdlk-0.9.5/DISCLAIMER zdlk-0.9.5/README zdlk-0.9.5/INSTALL zdlk-0.9.5/CHANGES zdlk-0.9.5/homedir.tar zdlk-0.9.5/wted Further analysis is ongoing at this time. HOW TO DETERMINE IF YOU ARE INFECTED: - ------------------------------------ Here are several simple ways to tell if you are infected: 1) Try to touch /tmp/libshow.so : bash# touch /tmp/libshow.so touch: /tmp/libshow.so: Permission denied If libshow is on your system, it will try to protect that file name and you will get a 'Permission denied' message. 2) Load 'sash'(3), the Stand Alone Shell, and use its internal file commands to look for the libraries: sh# sash Stand-alone shell (version 3.4) > ls -l /etc/ld.so.preload ls: /etc/ld.so.preload: No such file or directory > -ls -l /lib/libshow.so lrwxrwxrwx 1 root root 21 Jan 10 16:52 libshow.so > -ls -l /etc/ld.so.preload -rw-r--r-- 1 root root 21 Jan 10 16:52 ld.so.preload Putting the dash "-" in front of the command uses sash's internal commands. /lib/libshow.so and /etc/ld.so.preload are now clearly visible. 3) Use (or make) staticly linked binary utilities (ls, mv, rm, lsof etc.) from your Jump Kit(2) CD to look for the above files. 4) Boot your system from the installation CD, enter rescue mode, mount the file system and look for the above mentioned files. - -->> NOTE: CHKROOT KIT(5) WILL NOT PRESENTLY DETECT THIS ROOT KIT! <<-- CLEANING THIS ROOT KIT: - ---------------------- Using sash, static binaries or booting from your rescue CD, move the offending /etc/ld.so.preload file into /tmp and run ldconfig (or better yet reboot). You can now *see* the hidden files. Remove the files: bash# rm -rf /lib/libshow.so.0.9.5 bash# rm -rf /lib/libshow.s Remove the directory: bash# rm -rf /lib/libZ.a Restore anything legitimate you may have had (but probably not) in /etc/ld.so.preload and reboot the system. Retest for this and other goodies. SOURCES: - -------- (1) AIDE http://www.cs.tut.fi/~rammer/aide.html (2) Jump Kit HOWTO http://www.infotech-nj.com/papers/JumpKit_HOWTO.txt (3) SASH http://www.canb.auug.org.au/~dbell/ - --Gideon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8PlfRH1ef35JVa+wRAtOJAKCu4q7J7cXGCEIscJezMk3eAVoU1wCfa+0U jpuYh0CZsW/TLa7Ob1ZoI9Y= =sWr7 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 08:27:19 PST