ld.so.preload Root Kit

From: Gideon Lenkey (glenkey@infotech-nj.com)
Date: Thu Jan 10 2002 - 19:11:06 PST

  • Next message: Johan Augustsson: "Trying to identify UDP DOS/Flood tool"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    ld.so.preload ROOT KIT:
    =======================
    
    SYNOPSIS:
    - ---------
    
    An unusual root kit was observed on a research honeypot. This root kit uses a
    shared library (libshow.so) rather than trojan binaries to hide the intruders
    activity. It adds an entry to the /etc/ld.so.preload file (or creates it if
    it's absent) which causes the system to preload this shared library every time
    a dynamically linked application is run. This library filters out specific
    file, process and network information. Although not unheard of, this kit
    would seem to present a significant threat.
    
    The machine was a a basic pentium Lintel box running stock Redhat 7.0.
    It was compromised with an ftp buffer overflow.
    
    SEQUENCE OF EVENTS:
    - -------------------
    
    SNORT reports a buffer overflow:
    
    - -------------------------------------------------------------------------
    
    attacks  from              to                method
    =========================================================================
       420     134.184.43.10     1.1.1.1    FTP EXPLOIT stat overflow : {TCP}
       420     134.184.43.10     1.1.1.1    FTP wu-ftp file completion attempt { {TCP}
       1      134.184.43.10     1.1.1.1    FTP wu-ftp file completion attempt [ {TCP}
    
    - -------------------------------------------------------------------------
    
    An incident handler on duty runs the aide (file checksum) application
    and finds discrepancies in the file system (aide output edited and
    cleaned):
    
    - -------------------------------------------------------------------------
    
    added:/etc/ld.so.preload
    added:/lib/libZ.a
    added:/lib/libZ.a/DISCLAIMER
    added:/lib/libZ.a/log
    added:/lib/libZ.a/log/sniff
    added:/lib/libZ.a/log/pid.zdsnf.eth0
    added:/lib/libZ.a/tmp
    added:/lib/libZ.a/bin
    added:/lib/libZ.a/bin/rkpasswd
    added:/lib/libZ.a/bin/findkit
    added:/lib/libZ.a/bin/ldd
    added:/lib/libZ.a/bin/ld-linux
    added:/lib/libZ.a/bin/checkrk
    added:/lib/libZ.a/bin/bincheck
    added:/lib/libZ.a/bin/lcheck
    added:/lib/libZ.a/sbin
    added:/lib/libZ.a/sbin/zdcrond
    added:/lib/libZ.a/sbin/in.sshd
    added:/lib/libZ.a/sbin/sshd_chk
    added:/lib/libZ.a/sbin/ssh-keygen
    added:/lib/libZ.a/sbin/zdsnf
    added:/lib/libZ.a/sbin/zdsnf_chk
    added:/lib/libZ.a/sbin/zdsshd.pid
    added:/lib/libZ.a/etc
    added:/lib/libZ.a/etc/cron
    added:/lib/libZ.a/etc/file
    added:/lib/libZ.a/etc/host
    added:/lib/libZ.a/etc/log
    added:/lib/libZ.a/etc/proc
    added:/lib/libZ.a/etc/primes
    added:/lib/libZ.a/etc/rkp
    added:/lib/libZ.a/etc/sshd_config
    added:/lib/libZ.a/etc/ssh_host_key
    added:/lib/libZ.a/etc/ssh_host_key.pub
    added:/lib/libZ.a/etc/ssh_host_dsa_key
    added:/lib/libZ.a/etc/ssh_host_dsa_key.pub
    added:/lib/libZ.a/etc/ssh_host_rsa_key
    added:/lib/libZ.a/etc/ssh_host_rsa_key.pub
    added:/lib/libZ.a/.common
    added:/lib/libZ.a/.profile
    added:/lib/libZ.a/.cshrc
    added:/lib/libshow.so.0.9.5
    added:/lib/libshow.so
    changed:/lib
    
    - -------------------------------------------------------------------------
    
    No trojan binaries were observed in the aide output. A system copy of
    lsof was used in an attempt to determine if any unusual processes,
    network listeners or files were present. All attempts to see the files
    listed in the aide output failed.
    
    The aide program was rerun in an attempt to confirm the initial
    findings. This run produced identical results.
    
    At that point, the machine was shutdown and booted from a jump kit(2) CD and
    the root partition system mounted from a different mount point. From this
    vantage point the root kit was completely visible.
    
    ANALYSIS:
    - ---------
    
    The kit hides the intruder by preloading a shared library. This library,
    libshow.so.0.9.5, appears to prevent any dynamically linked applications
    using the system libraries from seeing specified files, processes and
    network information.
    
    The kit includes a sniffer, a cron process and an sshd back door which
    appears to randomize it's listening TCP port. The cron process appears to
    be used as a keepalive for the trojan sshd and sniffer in the event of a
    reboot.
    
    
    The installation is performed by a binary application.
    
    Contents of the root kit file 'zdlk.wav':
    
    	zdlk-0.9.5/
    	zdlk-0.9.5/rmkit2
    	zdlk-0.9.5/libshow.so.0.9.5
    	zdlk-0.9.5/zd
    	zdlk-0.9.5/install
    	zdlk-0.9.5/DISCLAIMER
    	zdlk-0.9.5/README
    	zdlk-0.9.5/INSTALL
    	zdlk-0.9.5/CHANGES
    	zdlk-0.9.5/homedir.tar
    	zdlk-0.9.5/wted
    
    Further analysis is ongoing at this time.
    
    HOW TO DETERMINE IF YOU ARE INFECTED:
    - ------------------------------------
    
    Here are several simple ways to tell if you are infected:
    
    1) Try to touch /tmp/libshow.so :
    
    	bash# touch /tmp/libshow.so
    	touch: /tmp/libshow.so: Permission denied
    
    If libshow is on your system, it will try to protect that file name and
    you will get a 'Permission denied' message.
    
    2) Load 'sash'(3), the Stand Alone Shell, and use its internal file
    commands to look for the libraries:
    
    	sh# sash
    	Stand-alone shell (version 3.4)
    	> ls -l /etc/ld.so.preload
    	ls: /etc/ld.so.preload: No such file or directory
    
    	> -ls -l /lib/libshow.so
    	lrwxrwxrwx  1 root     root           21  Jan 10 16:52 libshow.so
    
    	> -ls -l /etc/ld.so.preload
    	-rw-r--r--  1 root     root           21  Jan 10 16:52 ld.so.preload
    
    Putting the dash "-" in front of the command uses sash's internal
    commands.  /lib/libshow.so and /etc/ld.so.preload are now clearly
    visible.
    
    3) Use (or make) staticly linked binary utilities (ls, mv, rm, lsof etc.)
    from your Jump Kit(2) CD to look for the above files.
    
    4) Boot your system from the installation CD, enter rescue mode, mount the
    file system and look for the above mentioned files.
    
    - -->> NOTE: CHKROOT KIT(5) WILL NOT PRESENTLY DETECT THIS ROOT KIT! <<--
    
    CLEANING THIS ROOT KIT:
    - ----------------------
    
    Using sash, static binaries or booting from your rescue CD, move the
    offending /etc/ld.so.preload file into /tmp and run ldconfig (or better
    yet reboot).
    
    You can now *see* the hidden files.
    
    Remove the files:
    	bash# rm -rf /lib/libshow.so.0.9.5
    	bash# rm -rf /lib/libshow.s
    
    Remove the directory:
    	bash# rm -rf /lib/libZ.a
    
    Restore anything legitimate you may have had (but probably not) in
    /etc/ld.so.preload and reboot the system. Retest for this and other
    goodies.
    
    SOURCES:
    - --------
    
    (1) AIDE
    	http://www.cs.tut.fi/~rammer/aide.html
    
    (2) Jump Kit HOWTO
    	http://www.infotech-nj.com/papers/JumpKit_HOWTO.txt
    
    (3) SASH
    	http://www.canb.auug.org.au/~dbell/
    
    
    
    
    - --Gideon
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.5 (GNU/Linux)
    Comment: For info see http://www.gnupg.org
    
    iD8DBQE8PlfRH1ef35JVa+wRAtOJAKCu4q7J7cXGCEIscJezMk3eAVoU1wCfa+0U
    jpuYh0CZsW/TLa7Ob1ZoI9Y=
    =sWr7
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 08:27:19 PST