Analysis of hax.tgz

Analysis of files in hax.tgz

The files that are found in hax.tgz is largely similar to those found in bigwar.tgz. However, numerous binaries in hax.tgz are infected with virus, while those in bigwar.tgz aren't. The following are files/directories that made up hax.tgz

.c	du	login	ps	ssh_random_seed
.d	encrypt	ls	pstree	sshd_config
.p	fix	lsof	remove	startfile
chattr	ifconfig	mailme	replace	tools/
cl	init	md5sum	setup	top
clean	killall	modules	socklist/	vdir
create	lg	netstat	ssh_host_key
dir	libproc.so.2.0.6	nscd	ssh_host_key.pub

.c, .d, .p
Perform similar function as counterpart in bigwar directory

chattr,dir, du,encrypt, fix, ifconfig,killall,login, ls,lsof, md5sum,netstat,pstree,top, vdir

File type	ELF executable
Functionality	trojanised binary infected with virus
Interesting strings output	OSF
Origin	These binaries are infected with Linux.OSF.8759 virus.
Analysis	Similar observations with counterpart in bigwar.tgz, but with extra 8759 bytes. We compared the two files of the same kind from both directory. Taking the program "du" as an example, firstly we parsed the two files using the command readelf, the outputs are as follow: $ readelf -a du ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 02 00 a0 d0 01 00 ... ... Entry point address: 0x804d167 ... ... Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al ... ... [13] .text PROGBITS 08049020 001020 0035bc 00 AX 0 0 16 ... ... Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ... ... LOAD 0x000000 0x08048000 0x08048000 0x06167 0x06167 R E 0x1000 ... ... $ readelf -a ../bigwar/du ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 ... ... Entry point address: 0x8049020 ... ... Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al ... ... [13] .text PROGBITS 08049020 001020 0035bc 00 AX 0 0 16 ... ... Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ... ... LOAD 0x000000 0x08048000 0x08048000 0x05167 0x05167 R E 0x1000 ... ... A few observations were made: The last 9-16th bytes of the ELF headers are reserved field, and normally set to 0 by the various compilers. However, for the case of hax/du, these bytes are non zero. This is a sign that the binary has being modified after it is compiled. The entry point of the hax/du, 0x804d167, does not fall within the .text section (0x8049020-0x804c5dc). This is not typical for a compiled program, and is yet another evident that it has being modified. The read and execute LOAD segment (code/text segment) of the executable has being increased from 0x5167 to 0x6167, an increase of 0x1000 bytes, or a page size. We also observed that for segments that are ordered after the code segment, i.e. the data segment and the dynamic segment, their offset is also increased by 0x1000, indicating that new code must have being appended to the original code segment, a technique know as segment padding, and is commonly used techniques for ELF virus or parasites [ELF Virus]. The above observations indicate that the binaries in hax.tgz are likely to be infected by virus. We extracted the 0x1000 bytes after the original code segment, and attempt to perform disassembly on the code. Our first observation is the strings "OSF" at an offset of 3 from the extracted code (the original offset of the strings in hax/du is 0x516a). Performing a search on Google using the search string "ELF virus OSF", we found out that this is actually the Linux.OSF.8759 virus. A description of this virus is given at http://www.kav.ch/avpve/newexe/unix/osf8759.stm.

cl, lg, libproc.so.2.0.6,ps, ssh_host_key, ssh_host_key.pub
Identical to counterpart in bigwar directory

clean
Performs similar function as counterpart in bigwar directory.

create

File type	Shell script
Analysis	The script performs the following: mv tools to the directory /lib/security/" "/ replacing sshd config and key files cp nscd to /bin and /sbin

init

File type	Shell script
Analysis	The script performs the following: set PATH execute nscd cd /lib/security/" "/tools/sniffer execute kde return to original directory

mailme

File type	Shell script
Interesting strings output	#This file will mail you informations about the root #File created by EnForCeR
Analysis	Collect system info, such as ifconfig, hostname, uname, w, cpuinfo, meminfo, route, and mail info to haxteam@haxteam.org, and haxteam@yahoo.com.

modules

File type	Shell script
Analysis	Append to /etc/rc.d/rc.modules with commands to perform the following: change attributes of /usr/bin/nscd +saui set up ssh and sshd config file in /usr/lib directory, and change attributes to +saui execute nscd execute kde chattr of /etc/rc.d/rc.modules +saui

nscd

File type	ELF executable, not stripped
Functionality	trojanised sshd
Interesting strings output	sshd version %s [%s] Usage: %s [options] Options: /usr/lib -f file Configuration file (default %s/sshd_config) -d Debugging mode -i Started from inetd -q Quiet (no logging) -p port Listen on the specified port (default: 22) -k seconds Regenerate server key every this many seconds (default: 3600) -g seconds Grace period for authentication (default: 300) -b bits Size of server RSA key (default: 768 bits) /usr/lib/ssh_host_key -h file File from which to read host key (default: %s) -V str Remote version string already read from the socket 9c0cf3261ae2d9dab434ca49554ae04d GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
Origin
Analysis	The strings output indicates that the executable is an sshd server. The string "9c0cf3261ae2d9dab434ca49554ae04d" may be the md5sum hash of the backdoored password. We also parse the file with readelf command, and observed that the 9-16th bytes of the ELF header contains non-zero bytes. As in the case of chattr, dir and other binaries, this executable is also infected with the Linux.OSF.8759 virus.
Remarks	With reference to the strings output information on the compiler, the executable may be compiled on a Redhat 6.2 system.

remove

File type	Shell script
Analysis	The script performs the followings: removes files (details) and kills processes (details) remove the following entries from startup script: /usr/bin/sourcemask, /usr/sbin/in.telnet, /usr/sbin/jcd, and /usr/sbin/nscd from /etc/rc.d/rc.sysinit /bin/vobisum and /usr/sbin/in.telnet from /etc/rc.d/rc.local set command history to remember only 1 command call the script lg
Remarks	Attempts to remove installed rootkits (probably by other hacker groups).

replace

File type

Shell script

Analysis

The script performs the following:

computes md5sum of various binaries and stored the encoded result in /dev/srd0
trojanises lsof, libproc.2.0.6, md5sum, ifconfig, netstat, ps, top, pstree, dir, vdir, killall, du, ls, and nscd.
removes portmap from startup script
removes /dev/caca, /dev/pisu, /dev/dsx
installs rootkit configuration from .d, .c, .p as /usr/include/{proc.h, hosts.h, file.h} respectively
ensures /etc/rc.d/rc.sysinit is executable if it can be found

setup

File type	Shell script
Analysis	The script performs the following: turns command logging off execute, ./create, ./replace, ./remove, ./modules, ./startfile, ./mailme, ./clean displays some systeminfo on screen

ssh_random_seed
Serves similar purpose as counterpart in bigwar directory.

sshd_config
sshd configuration file. The server is configured to listen on port 55211 instead of the typical port 22.

startfile

File type	Shell script
Analysis	The script performs the following: replaces original init script if any. modifies one of the various startup scripts to call the trojanised init script. These startup scripts include /etc/rc.d/rc.sysinit, /etc/rc.d/rc.local, /etc/rc.d/init.d/boot.local, /etc/inittab, /etc/rc, /etc/rc.local, /etc/rc.local, an d/etc/rc.sysinit.

socklist subdirectory
The socklist subdirectory contains the following files/directories:

Xf/

socklist

utils/

socklist/socklist

File type

Shell script

Analysis

Note there is an error in the shell script, in line 52, PShd, should read as $PShd

The list of process to hide is stored in the file /usr/lib/libc/libph, and these processes include psybnc, nscd, kde, and kdeinit. Together with stringsx and socklistx, what this shell script does is that it will first copy the original /usr/bin/socklist and /usr/bin/strings to /usr/lib/libc/libso and /usr/bin/strings' ' respectively. The original copy is then replaced with the trojanised version. When, for example, the trojanised /usr/bin/socklist is being run, it will execute the original copy which is now at /usr/lib/libc/libso (/usr/bin/strings' ' in the case of strings). The output is then checks to ensure that entries found in the file /usr/lib/libc/libph (/usr/lib/libc/libah in the case of strings) are filtered. Replacing of original strings and socklist is done by the move shell script if gcc is found, otherwise, the socklist shell script performs the replacement without fixing the filesize, checksum and MAC time.

socklist/Xf subdirectory
The socklist/Xf subdirectory contains the following files:

chattr	fix.c	socklistx	stringsx
fix	move	socklistx.c	stringsx.c

socklist/Xf/chattr
Identical to ../bigwar/chattr

socklist/Xf/fix
socklist/Xf/fix.c
The source code, fix.c, is similar to fix.c of lrk5. The executable performs similar functions as it counterpart in bigwar directory.

socklist/Xf/move

File type	Shell script
Analysis	The script performs the following: compiles fix.c, stringsx.c, socklistx.c, and .siz.c Modifies the binaries socklistx and stringx so that their file size (using "utils/siz"), MAC time and checksum (using "fix") is identical to that of /usr/bin/socklist and /usr/bin/strings respectively.

socklist/Xf/socklistx
socklist/Xf/socklistx.c
socklist/Xf/stringsx
socklist/Xf/stringsx.c

File type	socklistx, stringsx: ELF executable, not stripped socklistx.c, stringsx.c: source code
Functionality	"Generic" trojan
Analysis	The trojan make use of two files, defined by the macro fPS and fHIDE. fPS stores a copy of the program that the hacker wish to compromise, and fHIDE, stores a list of entries that the hacker wish to hide. If an additional "Magic word" (in this case, the magic word is "soffax") is given, will execute "/bin/su -". Refer to socklist/socklist description for execution details.

socklist/utils subdirectory
socklist/utils/siz
socklist/utils/.siz.c

File type	siz: ELF executable, not stripped .siz.c: source code
Functionality	File resizer
Interesting strings output	From .siz.c /==================================================================== sizer Version 2.00 Executable file size adjuster The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (unewn4th@usa.net ==================================================================== /
Analysis	The program does just what the comment in the source code indicates. The program will only work if the new file size is larger than the original file size.

tools subdirectory
The tools subdirectory is made up of 2 directories:

psybnc

sniffer

tools/psybnc subdirectory
Subdirectory containing the psybnc IRC bouncer and the supporting files.

tools/sniffer subdirectory
The tools/sniffer directory contains the following files:

kde

read

tcp.log

tools/sniffer/kde

File type	ELF executable, stripped
Functionality	sniffer (infected with virus)
Interesting strings output	cant get SOCK_PACKET socket cant get flags cant set promiscuous mode ----- [CAPLEN Exceeded] ----- [Timed Out] ----- [RST] ----- [FIN] %s => %s [%d] eth0 tcp.log cant open log
Origin	Probably LinSniffer by Mike Edulla A copy of the source code can be found at http://packetstormsecurity.org/Exploit_Code_Archive/linsniffer.c. The virus found on this executable is identified as Linux/Rst-A virus.
Analysis	The strings output resembles error messages generated by LinSniffer. The main purpose is of the sniffer is to capture password from "clear-text protocol" such as ftp and telnet. The output, in ASCII, is stored in the file tcp.log. When we parsed the executable with readelf, we observed various indications(similar to those stated above) that this file has being infected with virus. $ readelf -a tools/sniffer/kde ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 b4 28 00 00 ... ... Entry point address: 0x80490af ... ... Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al ... ... [13] .text PROGBITS 08048760 000760 00085c 00 AX 0 0 16 ... ... Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ... ... LOAD 0x000000 0x08048000 0x08048000 0x020af 0x020af R E 0x1000 ... ... However, we also observed that the ELF header of kde is different from those executable infected by Linux.OSF.8759 virus, the 11th byte of the ELF header is 0 (not 2) in this case. This indicates that kde is infected with another virus. We did not manage to trace the origin of this virus until on of us incidentally transfer the file to a Windows machine and activated the virus scanner. With the help of the virus scanner, we were able to identify the virus as Linux/Rst-A virus. Information on this virus can be fount at http://www.sophos.com/virusinfo/analyses/linuxrsta.html.

tools/sniffer/read
Identical to ../bigwar/read.

tools/sniffer/tcp.log
Sniffer log file for the program kde

References

[ELF virus]	Alexander Bartolich, "The ELF Virus Writing HOWTO" http://www.lwfug.org/~abartoli/virus-writing-HOWTO/_html/