Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Analysis of the Beastkit v.7

From: Tom Fischer <Tom.Fischer () rus uni-stuttgart de>
Date: Mon, 11 Feb 2002 14:44:52 +0100
Analysis of the Beastkit 7.0 rootkit found on a RedHat 7.2 system. 

Full description available:
http://cert.Uni-Stuttgart.DE/forensics/rootkits/beastkit.en.php
http://cert.Uni-Stuttgart.DE/forensics/rootkits/beastkit.php (german)

Beastkit 7.0 replaces common system utilities to hide the attacker's 
activities.

List of programs included in the rootkit (bin.tgz):
md5sum                            Filename             Size
98bf3bd30914773e50060a7f56eda4f4  encrypt             14808
ae060f54e8f3a8e79dc95867171811ef  pg                   3552 
f2e3b130a937af92ff507315406589b1  sz                   1382
0a07cf554c1a74ad974416f60916b78d  /bin/ls             39696
195075782a2f7853731bf3e0c62e6925  /bin/netstat        54152
ced323b51dc984f66c2695d8fd6a2368  /bin/ps             62920
e4738d828b366ac21572e6a17f7ecba4  /sbin/ifconfig      31504
753d5e7af271c12e0803956dd8c2b8e6  /sbin/syslogd       26496
0a07cf554c1a74ad974416f60916b78d  /usr/bin/dir        39696
98596eaad65b9f748fca2dcf48a9b3ef  /usr/bin/find       59536
a1931a396d9a7ffbcd0c7612627073ba  /usr/bin/pstree     12340
3fc77d2a3ae361c86ef4629c0f5e380e  /usr/bin/slocate    23560
fd319aa8e6f56a32c0cb8fc6e9a69195  /usr/bin/top        33992
f7acbc61f8715bdda41989683bc8e8a8  /usr/bin/md5sum     31452
0c1411a47e58bcbef33abdaf53ede4e6  /usr/sbin/idrun     89828
56b863dcfacadf6d66d859e2ee59517e  /usr/sbin/lsof      82628

The original programs got replaced by the rootkit. The timestamps
doesn't change, because the rootkit use "touch -acmr" to transmit the
timestamp to the rootkit files. 

Beastkit contains some clean-up, sniffing and sshd-update tools (bktools) 
(placed at /lib/ldd.so/bktools): 

md5sum                            Filename             Size
b0812b62c9c3307161c5400870d7d230  bkget               25664
926784667fa921b38fceb124644f6568  bkp                  7578
63c6a53e779c06923344b15a0e8f1799  bks                 16070
12e8748c19abe7a44e67196c22738e9b  bksb                 1345
5dba380b431418f1d15a014472268b65  bkscan               9556
d536271d4c13a2cf71c0e74d09839f27  bktd                90788
2f6957ee2b2c29259225c6b0f271539b  patch                1875
0bb5cb28717d1a36c2a871a1dd713666  prl                  1854
e2384d85534272ba46baa6979cefc634  prw                  1831

A SSHd backdoor named "arobia" was installed. The config files were
found in /usr/lib/elm/arobia/. A new password for the backdoor was
generated with the command 
"sed s/08e7592e361de6fd59d4d126b29fe6ea/`md5sum --string=$1|awk '{print $1}'`/g elm\ > arobia"
which replaces the default password (08e7592e361de6fd59d4d126b29fe6ea=arobia) 
of the original backdoor "elm" and generates the new backdoor "arobia". 
After that, "arobia" was moved to /usr/sbin.  The backdoor start-up is done 
by "/usr/sbin/arobia -q -p 56493", whereby "56493" is the portnumber.  

md5sum                            Filename                      Size
f7820a858bceee09246f4454e3c24e95  /usr/sbin/arobia            206760
f78fa4c346287a3af35656a9ac33e733  /usr/lib/elm/arobia/elm     206760
a5d7227117841d0518a6be3510dabb57  /usr/lib/elm/arobia/elm/hk     529
eb1929cdeb8c4abe428540a58adfa7a2  /usr/lib/elm/arobia/elm/hk.pub 333
5fd2ce512e0eba4d090191e8a1518808  /usr/lib/elm/arobia/elm/sc     880
563b9fb9877beb3b33428acdfba1a571  /usr/lib/elm/arobia/elm/sd.pp    6
82ff57cdc95b9b01d88ef5dca721981d  /usr/lib/elm/arobia/elm/sdco   480
a604bd841806dd5abe543a3281eb5a78  /usr/lib/elm/arobia/elm/srsd   512

more rootkit-changes:

md5sum                            Filename                      Size
00846ffcc2ed7fa23b42089e92273964  /usr/local/bin/.../bktd      93924
2aed58986303584c96edd16f6195e797  /lib/libproc.a               33848
8581544643145cd159e93df986539ce8  /lib/libproc.so.2.0.6        37984
dcf6a1cb6fd162461195294904c078f8  /lib/lidps1.so                   9
6efdfd44c0b1e197dae1b10e994f7721  /usr/include/file.h             56
1791784f079870739ecc707add37aafe  /usr/include/hosts.h            19
64bdd72e707ba4680cc7d7a58e8aac07  /usr/include/log.h              43
1534580c14b3b70d29d000f3691d1c25  /usr/include/proc.h             47

Regards, Tom
-- 
Tom Fischer                              Tom.Fischer () rus uni-stuttgart de
RUS-CERT University of Stuttgart       Tel:+49 711 685-8076 / -5898 (fax)
Allmandring 30, D-70550 Stuttgart           http://cert.uni-stuttgart.de/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: