File type | ELF executable |
Functionality |
trojanised binary infected with
virus |
Interesting strings
output |
OSF |
Origin |
These binaries are infected with Linux.OSF.8759 virus. |
Analysis |
Similar observations with
counterpart in bigwar.tgz, but with extra
8759 bytes. We compared the two files of the same kind from both
directory. Taking the program "du" as an example, firstly we parsed the
two files using the command readelf, the outputs are as follow: $ readelf -a du ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 02 00 a0 d0 01 00 ... ... Entry point address: 0x804d167 ... ... Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al ... ... [13] .text PROGBITS 08049020 001020 0035bc 00 AX 0 0 16 ... ... Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ... ... LOAD 0x000000 0x08048000 0x08048000 0x06167 0x06167 R E 0x1000 ... ... $ readelf -a ../bigwar/du ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 ... ... Entry point address: 0x8049020 ... ... Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al ... ... [13] .text PROGBITS 08049020 001020 0035bc 00 AX 0 0 16 ... ... Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ... ... LOAD 0x000000 0x08048000 0x08048000 0x05167 0x05167 R E 0x1000 ... ... A few observations were made:
|
File type | Shell script |
Analysis | The script performs the
following:
|
File type | Shell script |
Analysis |
The script performs the
following: |
File type | Shell script |
Interesting strings
output |
#This file will mail you
informations about the root #File created by EnForCeR |
Analysis |
Collect system info, such as
ifconfig, hostname, uname, w, cpuinfo, meminfo, route, and mail info to
haxteam@haxteam.org, and haxteam@yahoo.com. |
File type | Shell script |
Analysis |
Append to /etc/rc.d/rc.modules
with commands to perform the following: |
File type | ELF executable, not stripped |
Functionality |
trojanised sshd |
Interesting strings
output |
sshd version %s [%s] Usage: %s [options] Options: /usr/lib -f file Configuration file (default %s/sshd_config) -d Debugging mode -i Started from inetd -q Quiet (no logging) -p port Listen on the specified port (default: 22) -k seconds Regenerate server key every this many seconds (default: 3600) -g seconds Grace period for authentication (default: 300) -b bits Size of server RSA key (default: 768 bits) /usr/lib/ssh_host_key -h file File from which to read host key (default: %s) -V str Remote version string already read from the socket 9c0cf3261ae2d9dab434ca49554ae04d GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) |
Origin |
|
Analysis |
The strings output indicates
that the executable is an sshd server. The string
"9c0cf3261ae2d9dab434ca49554ae04d" may be the md5sum hash of the
backdoored password. We also parse the file with readelf command, and observed that the 9-16th bytes of the ELF header contains non-zero bytes. As in the case of chattr, dir and other binaries, this executable is also infected with the Linux.OSF.8759 virus. |
Remarks |
With reference to the strings
output information on the compiler, the executable may be compiled on a
Redhat 6.2 system. |
File type | Shell script |
Analysis |
The script performs the
followings:
|
Remarks |
Attempts to remove installed
rootkits (probably by other hacker groups). |
File type | Shell script |
Analysis |
The script performs the
following:
|
File type | Shell script |
Analysis |
The script performs the
following: |
File type | Shell script |
Analysis |
The script performs the
following:
|
Xf/ |
socklist |
utils/ |
File type | Shell script |
Analysis |
Note there is an error in the
shell script, in line 52, PShd, should read as $PShd The list of process to hide is stored in the file /usr/lib/libc/libph, and these processes include psybnc, nscd, kde, and kdeinit. Together with stringsx and socklistx, what this shell script does is that it will first copy the original /usr/bin/socklist and /usr/bin/strings to /usr/lib/libc/libso and /usr/bin/strings' ' respectively. The original copy is then replaced with the trojanised version. When, for example, the trojanised /usr/bin/socklist is being run, it will execute the original copy which is now at /usr/lib/libc/libso (/usr/bin/strings' ' in the case of strings). The output is then checks to ensure that entries found in the file /usr/lib/libc/libph (/usr/lib/libc/libah in the case of strings) are filtered. Replacing of original strings and socklist is done by the move shell script if gcc is found, otherwise, the socklist shell script performs the replacement without fixing the filesize, checksum and MAC time. |
chattr |
fix.c |
socklistx |
stringsx |
|
fix |
move |
socklistx.c |
stringsx.c |
File type | Shell script |
Analysis |
The script performs the
following:
|
File type | socklistx, stringsx: ELF
executable, not stripped socklistx.c, stringsx.c: source code |
Functionality |
"Generic" trojan |
Analysis |
The trojan make use of two
files, defined by the macro fPS and fHIDE. fPS stores a copy of
the program that the hacker wish to compromise, and fHIDE, stores a list
of entries that the hacker wish to hide. If an additional "Magic word"
(in this case, the magic word is "soffax") is given, will execute
"/bin/su -". Refer to socklist/socklist description for execution details. |
File type | siz: ELF executable, not stripped .siz.c: source code |
Functionality |
File resizer |
Interesting strings
output |
From .siz.c /*==================================================================== sizer Version 2.00 Executable file size adjuster The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (unewn4th@usa.net ==================================================================== */ |
Analysis |
The program does just what the
comment in the source code indicates. The program will only work if the
new file size is larger than the original file size. |
psybnc |
sniffer |
kde |
read |
tcp.log |
File type | ELF executable, stripped |
Functionality |
sniffer (infected with virus) |
Interesting strings
output |
cant get SOCK_PACKET socket cant get flags cant set promiscuous mode ----- [CAPLEN Exceeded] ----- [Timed Out] ----- [RST] ----- [FIN] %s => %s [%d] eth0 tcp.log cant open log |
Origin |
Probably LinSniffer by Mike
Edulla A copy of the source code can be found at http://packetstormsecurity.org/Exploit_Code_Archive/linsniffer.c. The virus found on this executable is identified as Linux/Rst-A virus. |
Analysis |
The strings output resembles
error messages generated by LinSniffer. The main purpose is of the
sniffer is to capture password from "clear-text protocol" such as ftp
and telnet. The output, in ASCII, is stored in the file tcp.log. When we parsed the executable with readelf, we observed various indications(similar to those stated above) that this file has being infected with virus. $ readelf -a tools/sniffer/kde ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 b4 28 00 00 ... ... Entry point address: 0x80490af ... ... Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al ... ... [13] .text PROGBITS 08048760 000760 00085c 00 AX 0 0 16 ... ... Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align ... ... LOAD 0x000000 0x08048000 0x08048000 0x020af 0x020af R E 0x1000 ... ... However, we also observed that the ELF header of kde is different from those executable infected by Linux.OSF.8759 virus, the 11th byte of the ELF header is 0 (not 2) in this case. This indicates that kde is infected with another virus. We did not manage to trace the origin of this virus until on of us incidentally transfer the file to a Windows machine and activated the virus scanner. With the help of the virus scanner, we were able to identify the virus as Linux/Rst-A virus. Information on this virus can be fount at http://www.sophos.com/virusinfo/analyses/linuxrsta.html. |
[ELF virus] | Alexander Bartolich, "The ELF
Virus Writing HOWTO" http://www.lwfug.org/~abartoli/virus-writing-HOWTO/_html/ |