Analysis of the Beastkit 7.0 rootkit found on a RedHat 7.2 system.

Full description available:
http://cert.Uni-Stuttgart.DE/forensics/rootkits/beastkit.en.php
http://cert.Uni-Stuttgart.DE/forensics/rootkits/beastkit.php (german)

Beastkit 7.0 replaces common system utilities to hide the attacker's
activities.

List of programs included in the rootkit (bin.tgz):
md5sum Filename Size
98bf3bd30914773e50060a7f56eda4f4 encrypt 14808
ae060f54e8f3a8e79dc95867171811ef pg 3552
f2e3b130a937af92ff507315406589b1 sz 1382
0a07cf554c1a74ad974416f60916b78d /bin/ls 39696
195075782a2f7853731bf3e0c62e6925 /bin/netstat 54152
ced323b51dc984f66c2695d8fd6a2368 /bin/ps 62920
e4738d828b366ac21572e6a17f7ecba4 /sbin/ifconfig 31504
753d5e7af271c12e0803956dd8c2b8e6 /sbin/syslogd 26496
0a07cf554c1a74ad974416f60916b78d /usr/bin/dir 39696
98596eaad65b9f748fca2dcf48a9b3ef /usr/bin/find 59536
a1931a396d9a7ffbcd0c7612627073ba /usr/bin/pstree 12340
3fc77d2a3ae361c86ef4629c0f5e380e /usr/bin/slocate 23560
fd319aa8e6f56a32c0cb8fc6e9a69195 /usr/bin/top 33992
f7acbc61f8715bdda41989683bc8e8a8 /usr/bin/md5sum 31452
0c1411a47e58bcbef33abdaf53ede4e6 /usr/sbin/idrun 89828
56b863dcfacadf6d66d859e2ee59517e /usr/sbin/lsof 82628

The original programs got replaced by the rootkit. The timestamps
doesn't change, because the rootkit use "touch -acmr" to transmit the
timestamp to the rootkit files.

Beastkit contains some clean-up, sniffing and sshd-update tools (bktools)
(placed at /lib/ldd.so/bktools):

md5sum Filename Size
b0812b62c9c3307161c5400870d7d230 bkget 25664
926784667fa921b38fceb124644f6568 bkp 7578
63c6a53e779c06923344b15a0e8f1799 bks 16070
12e8748c19abe7a44e67196c22738e9b bksb 1345
5dba380b431418f1d15a014472268b65 bkscan 9556
d536271d4c13a2cf71c0e74d09839f27 bktd 90788
2f6957ee2b2c29259225c6b0f271539b patch 1875
0bb5cb28717d1a36c2a871a1dd713666 prl 1854
e2384d85534272ba46baa6979cefc634 prw 1831

A SSHd backdoor named "arobia" was installed. The config files were
found in /usr/lib/elm/arobia/. A new password for the backdoor was
generated with the command
"sed s/08e7592e361de6fd59d4d126b29fe6ea/`md5sum --string=$1|awk '{print $1}'`/g elm\ > arobia"
which replaces the default password (08e7592e361de6fd59d4d126b29fe6ea=arobia)
of the original backdoor "elm" and generates the new backdoor "arobia".
After that, "arobia" was moved to /usr/sbin. The backdoor start-up is done
by "/usr/sbin/arobia -q -p 56493", whereby "56493" is the portnumber.

md5sum Filename Size
f7820a858bceee09246f4454e3c24e95 /usr/sbin/arobia 206760
f78fa4c346287a3af35656a9ac33e733 /usr/lib/elm/arobia/elm 206760
a5d7227117841d0518a6be3510dabb57 /usr/lib/elm/arobia/elm/hk 529
eb1929cdeb8c4abe428540a58adfa7a2 /usr/lib/elm/arobia/elm/hk.pub 333
5fd2ce512e0eba4d090191e8a1518808 /usr/lib/elm/arobia/elm/sc 880
563b9fb9877beb3b33428acdfba1a571 /usr/lib/elm/arobia/elm/sd.pp 6
82ff57cdc95b9b01d88ef5dca721981d /usr/lib/elm/arobia/elm/sdco 480
a604bd841806dd5abe543a3281eb5a78 /usr/lib/elm/arobia/elm/srsd 512

more rootkit-changes:

md5sum Filename Size
00846ffcc2ed7fa23b42089e92273964 /usr/local/bin/.../bktd 93924
2aed58986303584c96edd16f6195e797 /lib/libproc.a 33848
8581544643145cd159e93df986539ce8 /lib/libproc.so.2.0.6 37984
dcf6a1cb6fd162461195294904c078f8 /lib/lidps1.so 9
6efdfd44c0b1e197dae1b10e994f7721 /usr/include/file.h 56
1791784f079870739ecc707add37aafe /usr/include/hosts.h 19
64bdd72e707ba4680cc7d7a58e8aac07 /usr/include/log.h 43
1534580c14b3b70d29d000f3691d1c25 /usr/include/proc.h 47

Regards, Tom

-- 
Tom Fischer                              Tom.Fischerrus.uni-stuttgart.de
RUS-CERT University of Stuttgart       Tel:+49 711 685-8076 / -5898 (fax)
Allmandring 30, D-70550 Stuttgart           http://cert.uni-stuttgart.de/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]