Analysis of the Beastkit 7.0 rootkit found on a RedHat 7.2 system. Full description available: http://cert.Uni-Stuttgart.DE/forensics/rootkits/beastkit.en.php http://cert.Uni-Stuttgart.DE/forensics/rootkits/beastkit.php (german) Beastkit 7.0 replaces common system utilities to hide the attacker's activities. List of programs included in the rootkit (bin.tgz): md5sum Filename Size 98bf3bd30914773e50060a7f56eda4f4 encrypt 14808 ae060f54e8f3a8e79dc95867171811ef pg 3552 f2e3b130a937af92ff507315406589b1 sz 1382 0a07cf554c1a74ad974416f60916b78d /bin/ls 39696 195075782a2f7853731bf3e0c62e6925 /bin/netstat 54152 ced323b51dc984f66c2695d8fd6a2368 /bin/ps 62920 e4738d828b366ac21572e6a17f7ecba4 /sbin/ifconfig 31504 753d5e7af271c12e0803956dd8c2b8e6 /sbin/syslogd 26496 0a07cf554c1a74ad974416f60916b78d /usr/bin/dir 39696 98596eaad65b9f748fca2dcf48a9b3ef /usr/bin/find 59536 a1931a396d9a7ffbcd0c7612627073ba /usr/bin/pstree 12340 3fc77d2a3ae361c86ef4629c0f5e380e /usr/bin/slocate 23560 fd319aa8e6f56a32c0cb8fc6e9a69195 /usr/bin/top 33992 f7acbc61f8715bdda41989683bc8e8a8 /usr/bin/md5sum 31452 0c1411a47e58bcbef33abdaf53ede4e6 /usr/sbin/idrun 89828 56b863dcfacadf6d66d859e2ee59517e /usr/sbin/lsof 82628 The original programs got replaced by the rootkit. The timestamps doesn't change, because the rootkit use "touch -acmr" to transmit the timestamp to the rootkit files. Beastkit contains some clean-up, sniffing and sshd-update tools (bktools) (placed at /lib/ldd.so/bktools): md5sum Filename Size b0812b62c9c3307161c5400870d7d230 bkget 25664 926784667fa921b38fceb124644f6568 bkp 7578 63c6a53e779c06923344b15a0e8f1799 bks 16070 12e8748c19abe7a44e67196c22738e9b bksb 1345 5dba380b431418f1d15a014472268b65 bkscan 9556 d536271d4c13a2cf71c0e74d09839f27 bktd 90788 2f6957ee2b2c29259225c6b0f271539b patch 1875 0bb5cb28717d1a36c2a871a1dd713666 prl 1854 e2384d85534272ba46baa6979cefc634 prw 1831 A SSHd backdoor named "arobia" was installed. The config files were found in /usr/lib/elm/arobia/. A new password for the backdoor was generated with the command "sed s/08e7592e361de6fd59d4d126b29fe6ea/`md5sum --string=$1|awk '{print $1}'`/g elm\ > arobia" which replaces the default password (08e7592e361de6fd59d4d126b29fe6ea=arobia) of the original backdoor "elm" and generates the new backdoor "arobia". After that, "arobia" was moved to /usr/sbin. The backdoor start-up is done by "/usr/sbin/arobia -q -p 56493", whereby "56493" is the portnumber. md5sum Filename Size f7820a858bceee09246f4454e3c24e95 /usr/sbin/arobia 206760 f78fa4c346287a3af35656a9ac33e733 /usr/lib/elm/arobia/elm 206760 a5d7227117841d0518a6be3510dabb57 /usr/lib/elm/arobia/elm/hk 529 eb1929cdeb8c4abe428540a58adfa7a2 /usr/lib/elm/arobia/elm/hk.pub 333 5fd2ce512e0eba4d090191e8a1518808 /usr/lib/elm/arobia/elm/sc 880 563b9fb9877beb3b33428acdfba1a571 /usr/lib/elm/arobia/elm/sd.pp 6 82ff57cdc95b9b01d88ef5dca721981d /usr/lib/elm/arobia/elm/sdco 480 a604bd841806dd5abe543a3281eb5a78 /usr/lib/elm/arobia/elm/srsd 512 more rootkit-changes: md5sum Filename Size 00846ffcc2ed7fa23b42089e92273964 /usr/local/bin/.../bktd 93924 2aed58986303584c96edd16f6195e797 /lib/libproc.a 33848 8581544643145cd159e93df986539ce8 /lib/libproc.so.2.0.6 37984 dcf6a1cb6fd162461195294904c078f8 /lib/lidps1.so 9 6efdfd44c0b1e197dae1b10e994f7721 /usr/include/file.h 56 1791784f079870739ecc707add37aafe /usr/include/hosts.h 19 64bdd72e707ba4680cc7d7a58e8aac07 /usr/include/log.h 43 1534580c14b3b70d29d000f3691d1c25 /usr/include/proc.h 47 Regards, Tom -- Tom Fischer Tom.Fischerat_private-stuttgart.de RUS-CERT University of Stuttgart Tel:+49 711 685-8076 / -5898 (fax) Allmandring 30, D-70550 Stuttgart http://cert.uni-stuttgart.de/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 08:53:27 PST