Here's a preliminary report on the Linux Bobkit.
Matt Fearnow receieved copies of the bobkit from a few
sources. This analysis is based on the version fron January 13th.
Author
sArGeAnt wrote the package. Probably speaks dutch;
see IRC lines from http://www.securiteam.com/exploits/6R00M1F0AI.html
and http://cert.uni-stuttgart.de/archive/bugtraq/2000/11/msg00265.html
<sArGeAnt> nog een keer sukkel
<sArGeAnt> en je ken es lekker kijken hoe packetjes je modem binnen komen
which translates to:
here, once more, dumbass
and then you can take a nice look at how those packets enter your modem
http://www.bedford.net/teep60.htm
reviews Sargeant's tool kit.
Overview
Bobkit appears to be a rootkit; a collection of programs
installed on a system once an attacker has acquired root access on an
attacked system. This one appears to include an ssh backdoor, an adore
Linux kernel module and a Tribe Flood Net slave.
It is able to update itself by downloading new versions or
additional code from two known URL's at free web site hosting companies.
Both companies have been contacted and have verified that the sites in
question have been disabled, preventing future bobkits from updating
themselves from these sites.
Recent versions of the kit install themselves to
"/usr/include/..." (note the three dots). Older versions installed
themselves to /tmp/.bkp . /usr/include/... is the home directory for
the attackers logins.
Some of the binaries included in the kit are compressed with
what appears to be a custom compiled version of the UPX executable
compressor. Stock copies of UPX are not able to decompress the
binaries, implying that the compression process has been modified to
hide the contents of the binary.
File Summary
Here are the files used in this tool and their uses.
- .bash_history
- Symlink to /dev/null to avoid saving any command history
- bkit-adore.o
- Adore kernel module
- bkit-ava
- Adore kernel module control tool
- bkit-d
- Insert adore kernel module, copy /etc/rc.d/rc.{local,modulas} back and forth to each other.
- bkit-dl
- Downloader script that uses bkit-get to pull down
new/additional files from free web space sites. Downloads files, untars
them, and removes the originals. Runs bkit-seal afterwards if pulled
down; this is not in the base tar.
- bkit-f
- Looks like Tribe Flood Net (see
http://www.sunmanagers.org/pipermail/summaries/2001-April/000494.html
and http://www.cert.org/incident_notes/IN-99-07.html )
- bkit-get
- UPX compressed URL downloader. It appears that "bkit-get
URL" downloads to the same filename in the current directory.
- bkit-mc
- calls midnight commander (mc) then removes the MC history
file
- bkit-patch
- pulls down new version of code from free web sites.
- bkit-patches
- program inside bkit-patches.tgz, run after latter opened up.
- bkit-patches.tgz
- downloaded from free web sites. Updates to the code,
probably.
- bkit-pw
- not sure, probably a backdoor password for ssh
- bkit-screen
- Symlink to /usr/bin/screen. By using a symbolic link, the
attacker can hide any running instances of screen started with
bkit-screen with the adore kernel module, while allowing normal screen
instances to stay visible in a task list.
- bkit-seal
- pulled down inside of downloaded tar; probably uses the
adore kernel module to hide itself.
- bkit-shd
- Custom compiled ssh server
- bkit-shd.pid
- Probably the sshd pid file
- bkit-shdcfg
- config file for rootkit-supplied sshd. Uses port 5454/tcp,
allows root logins, allows empty passwords
- bkit-shhk
- SSH private key
- bkit-shrs
- 512 bytes, probably the ssh random seed.
- bkit-sleep
- Symlink to /bin/sleep. By using a symbolic link, the
attacker can hide any running instances of sleep started with bkit-sleep
with the adore kernel module, while allowing normal sleep instances to
stay visible in a task list.
- core
- Symlink to /dev/null to avoid saving any coredumps
- du
- du replacement
- find
- find replacement
- ls
- ls replacement
- lsof
- lsof replacement
- netstat
- netstat replacement
- nohup.out
- Symlink to /dev/null to avoid saving the output from any
background jobs
- psr
- ps replacement
- pstree
- pstree replacement
- top
- top replacement, upx compressed
- slocate
- slocate replacement
- uconf.inv
- not sure
Credits
Many thanks to Matt Fearnow for the original code and Vincent
Berk for the translation.
This advisory was written by William Stearns of the Institute
for Security Technology Studies.
Revision History
- 0.1
- First release for review 1/23/2002