Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: tuxkit.txt

Tuxkit Rootkit Analysis RKT:




                The Tuxtendo's Tuxkit Rootkit Analysis
                     spoonfork / mel@ini2.net
		            March 2002

--] Introduction

The following is an analysis of the Tuxkit rootkit, written by a Dutch group
called Tuxtendo. This rootkit was found in one of the honeypots that we 
set up. The honeypot was a stock installation of Redhat 7.0, with a few 
services running. None of the software, such as named, sendmail and the 
printer daemon were patched.

There are three versions of the rootkit that are available on 
Tuxtendo's website. They are tuxkit.tgz, tuxkit-1.0.tgz, and tuxkit-short.tgz.
Both tuxkit.tgz and tuxkit-1.0.tgz have the same contents, while 
tuxkit-short.tgz contains less tools.

I've also tested some of tuxkit's binaries on Redhat 7.1, and they seemed to 
work fine.

The following are the contents of each tuxkit. This analysis will focus on
tuxkit-1.0.tgz, the one that was found on our honeypot. The rootkit was
developed by Argv[], possibly modified from and based on the t0rn rootkit. The
timestamp of the rootkit was December 2001. Googling for "tuxkit analysis" 
did not produce any hits, so I guess that this rootkit is pretty new.

NOTE: chkrootkit failed to detect tuxkit.

--] Packages

[root@angel tuxkit-1.0]# ls -l ../tuxkit  (tuxkit.tgz)
total 2600
-rw-------    1 sfork   sfork     502884 Dec  5 07:55 bin.tgz
-rw-------    1 sfork   sfork        406 Dec  5 07:55 cfg.tgz
-rw-------    1 sfork   sfork      16213 Dec  5 07:55 lib.tgz
-rw-------    1 sfork   sfork       3684 Dec  5 07:55 README
-rw-------    1 sfork   sfork     461892 Jan  6 00:06 sshd.tgz
-rw-------    1 sfork   sfork    1644819 Dec  5 07:55 tools.tgz
-rwx------    1 sfork   sfork       9489 Jan  6 00:53 tuxkit

[root@angel tuxkit-1.0]# ls -l ../tuxkit-1.0  (tuxkit-1.0.tgz)
total 2600
-rw-------    1 sfork   sfork     502884 Dec  5 07:55 bin.tgz
-rw-------    1 sfork   sfork        406 Dec  5 07:55 cfg.tgz
-rw-------    1 sfork   sfork      16213 Dec  5 07:55 lib.tgz
-rw-------    1 sfork   sfork       3684 Dec  5 07:55 README
-rw-------    1 sfork   sfork     461892 Jan  6 00:06 sshd.tgz
-rw-------    1 sfork   sfork    1644819 Dec  5 07:55 tools.tgz
-rwx------    1 sfork   sfork       9489 Jan  6 00:53 tuxkit

[root@angel tuxkit-1.0]# ls -l ../tuxkit-short  (tuxkit-1.0-short.tgz)
total 1556
-rw-------    1 1001     1001       502884 Dec  5 07:55 bin.tgz
-rw-------    1 1001     1001          406 Dec  5 07:55 cfg.tgz
-rw-------    1 1001     1001        16213 Dec  5 07:55 lib.tgz
-rw-------    1 1001     1001         3684 Dec  5 07:55 README
-rw-------    1 1001     1001       461892 Jan  6 00:06 sshd.tgz
-rw-------    1 1001     1001       577089 Jan  6 01:12 tools.tgz
-rwx------    1 1001     1001         9489 Jan  6 00:53 tuxkit

--] tuxkit-1.0.tgz 

There are six files in the tuxkit which includes a README, an installation
script, and four tarred/zipped files.

The following are the contents of the individual files in the tuxkit.

- bin.tgz - contains precompiled trojan binaries
- cfg.tgz - contains tuxkit's configuration files
- lib.tgz - contains libproc libraries, for process hiding purposes
- sshd.tgz - contains precompiled sshd, complete with sshd_config
- tools.tgz - contains an arsenal of tools (duh!) for the skrip kiddie
  who don't know how to get their own tools. The tools are:

    [root@angel tools]# ls -la
    total 44
    drwxr-xr-x   11 root     root         4096 Mar  1 13:14 .
    drwxr-xr-x    4 root     root         4096 Mar  1 13:14 ..
    drwx------    2 root     root         4096 Nov 12 20:50 bitchx
    drwx------    2 root     root         4096 Dec 12 23:59 dos
    drwx------    2 root     root         4096 Nov 12 20:57 mirkforce
    drwx------    2 root     root         4096 Nov 12 20:57 nmapv
    drwx------    8 root     root         4096 Nov 12 23:05 psybnc
    drwx------    2 root     root         4096 Nov 13 01:00 sniffer
    drwx------    2 root     root         4096 Nov 12 20:58 ssh
    drwx------    2 root     root         4096 Nov 12 23:22 synscan
    drwx------    2 root     root         4096 Nov 12 20:58 utils

   The names of these tools are self-explanatory. However, they are all
   precompiled. utils contains only one utility - wget. This is to 
   enable the skripkids to easily download other tools (assuming the skripkids
   know how to use wget).

- tuxkit - an installation script
- README - the obligatory README file (and greetz, of course)

The tuxkit is almost similar to the t0rn rootkit. The addition of the 
precompiled tools such as nmap, synscan and psybnc makes it a more handy 
rootkit. It is flawlessly easy to install. Tuxkit is like a pack-n-go 
kinda tool. The appendix shows the contents of each packages in tuxkit.

--] Installation

Installation of tuxkit is very straightforward. The README says:

---README snip---
./tuxkit <Password> <SSHD Port> <BNC Port>

         Password : This will be the password you need to login onto
                    the comromised system.
         SSD Port : This will be the port on which the SSHD will be
                    be listening on for incoming connections.
                    This port will be hidden automatically in netstat.
         bncport  : this will be the port psyBNC will listen on.
                    This port will be hidden automatically in netstat.

The setup script does NOT have default settings, this forces you to
provide a password, sshd and bnc ports.

The setup script also contains a variable called EMAIL, you should edit
this ;)
---README snip---

This sets tuxkit apart from t0rn - it does not use default ports. 

The default installation directory is /dev/tux. Shell script savvy skripkids
may want to change this to avoid detection.

NOTE: the tuxkit installationn script contains a variable EMAIL which has
the default value of the author. At the end of the installation, the script
will send an email which the subject "Tuxkit1.0". The e-mail contains 
information about the host, the SSH backdoor port, the psyBNC port, and
also the password. If you skripkid didn't change the EMAIL (the README
clearly states to change this), you have the risk of your server being
owned by other people.

--] Trojaning process

The trojaning process is straightforward. syslogd is killed first. Then
all the files that came with tuxkit-1.0.tgz are untarred and upzipped.
The installation directory is created. The default installation directory
is /dev/tux, and even though this is kept as the variable RDIR, the tuxkit
install script hardcoded "mkdir /dev/tux", thus changing RDIR, but forgetting
to change the line above will cause your installation to skew a bit (most 
skripkids won't bother to do this anyway). In fact, /dev/tux is hardcoded 
almost everywhere in the installation script.

The hidden files .addr, .cron, .file, .log and .proc are copied to /dev/tux/

The library files are copied to lib, and /sbin/ldconfig is executed.

This step is followed by copying files to be trojaned to /dev/tux/backup, and
replacing these files with the trojaned version. A script "sz", which is part
of the bin.tgz is run against each trojaned binaries so that the size matches
that of the original binaries. "sz" basically pads the trojan with zeros
(from /dev/zero).

--] Backdooring process

The backdoored SSH is installed in /usr/bin/xsf. The trojaned sshcheck is 
installed in /usr/bin/xchk. Both are invoked the following way:

	/usr/bin/xsf -q 1>/dev/null 2>/dev/null
	/usr/bin/xchk -q 1>/dev/null 2>/dev/null

The /etc/rc.d/rc.sysinit is also edited to include the following lines:

	echo "# Running Xsf ..." >> /etc/rc.d/rc.sysinit
 	echo "/usr/bin/xsf -q 1>/dev/null 2>/dev/null" >> /etc/rc.d/rc.sysinit
 	echo "# Running Xchk ..." >> /etc/rc.d/rc.sysinit
 	echo "/usr/bin/xchk 1>/dev/null 2>/dev/null" >> /etc/rc.d/rc.sysinit

If you string xsf, you will be able to get the passwords that the skripkid
used.

--] The tuxkit configuration files

The tuxkit config files follows that of the original Linux rootkit. There are
.addr, .cron, .file, .log and .proc. The filenames are self-explanatory. These
files follow the convention of the original Linux rootkit. In forensic, what
you will be interested in most is the .addr files, because it contains the
IP that netstat is supposed to hide.

--] Detecting tuxkit

Detecting tuxkit is fairly simple. 

1. Look for the existence of /dev/tux
2. Run lsof -i +M | grep xsf 

Hey, why wasn't lsof trojaned? t0rn has a trojaned lsof :)

--] Detecting tuxkit - trojans

1. md5sums - if you've keep an md5sum of the virgin state of your
   installation, detecting trojans should be a walk in the park. Every
   system administrator should use file integrity checker to monitor 
   critical file change.
2. Look for /usr/bin/xsf and /usr/bin/xchk
3. Look for extra lines in /etc/rc.sysinit
4. cd /etc/ssh; ls -l. The trojaned ls will return nothing, when in 
   fact your ssh config files are still there.

The following are the size difference between tuxkit and Redhat 7.1 binaries.
(before installation)

files        tuxkit        Redhat 7.1
------------------------------------------
crontab      29052               21280
df           27112               26812
dir          42952               45948
dmesg         3640                4252
du           25592               25788
find         55220               47516
ifconfig     36356               51164
killall      14400               12096
locate        9144               25020 (symlink to slocate)
login         3980               17740
ls           42952               45948
netstat      58228               83132
ps           62748               63180
pstree       14532               12284 
sshcheck     89828               - (my test machine don't have this)
sshdconfig  451260               - (my test machine don't have this)
syslogd      28324               26972
tcpd         18660               24844
top          37844               34924
updatedb      4394               25020 (symlink to slocate)
vdir         42952               45948

This result is quite interesting. Trojans are not supposed to be bigger that
the original binaries!

--] Detecting tuxkit - if you are lucky

On our honeypot, the trojaned 'ps' still shows xsf, even though xsf was in
the list of processes to be hidden. However, 'ls' seems to work very well
in hiding files.

--] Recommendations

For tuxkit developers 
- Add trojaned lsof. Borrow one from t0rn :) Also, fix ps. 
- tools.tgz is probably not needed. A skripkid who is able to crack a Linux
  machine (duh) should be able to download and compile his/her own tools. 
  Furthermore, tools.tgz adds unnecessary extra bytes to the tuxkit - not
  really convenient for downloading.
- Add a self-deleting script, i.e. delete the tar files and installation
  directory after installation. skripkids seems incapable of doing this.
  The config files should be kept somewhere else other than /dev/tux.

For skripkidz - vi tuxkit, type the following:

     :%s/\/dev\/tux/installation_dir_of_your_choice/g

where installation_dir_of_your_choice is, uh, the installation directory
of your choice. (However, this won't work, since /dev/tux/.{addr,proc}, etc
are already hardcoded to the binaries - so hehe, just run ./tuxkit and pray
that the stupid system administrators won't notice :)

For system administrators - run file integrity checker after each fresh
install.

--] Conclusion

The world of forensic analysis ain't fun without rootkits.

--] Appendix - Contents of each packages

[root@angel tuxkit-1.0]# less bin.tgz 
-rwx------ root/root     29052 2001-12-26 21:37:57 bin/crontab
-rwx------ root/root     27112 2001-12-26 21:37:57 bin/df
-rwx------ root/root     42952 2001-12-26 21:37:57 bin/dir
-rwx------ root/root      3640 2001-12-26 21:37:57 bin/dmesg
-rwx------ root/root     25592 2001-12-26 21:37:57 bin/du
-rwx------ root/root     55220 2001-12-26 21:37:57 bin/find
-rwx------ root/root     36356 2001-12-26 21:37:57 bin/ifconfig
-rwx------ root/root     14400 2001-12-26 21:37:57 bin/killall
-rwx------ root/root      9144 2001-12-26 21:37:57 bin/locate
-rwx------ root/root      3980 2001-12-26 21:37:57 bin/login
-rwx------ root/root     42952 2001-12-26 21:37:57 bin/ls
-rwx------ root/root     58228 2001-12-26 21:37:57 bin/netstat
-rwx------ root/root     62748 2001-12-26 21:37:57 bin/ps
-rwx------ root/root     14532 2001-12-26 21:37:57 bin/pstree
-rwx------ root/root     89828 2001-12-26 21:37:57 bin/sshcheck
-rwx------ root/root    451260 2001-12-26 21:37:57 bin/sshdconfig
-rwx------ root/root     28324 2001-12-26 21:37:57 bin/syslogd
-rwx------ root/root      1522 2001-12-26 21:37:57 bin/sz
-rwx------ root/root     18660 2001-12-26 21:37:57 bin/tcpd
-rwx------ root/root     37844 2001-12-26 21:37:57 bin/top
-rwx------ root/root      4394 2001-12-26 21:37:57 bin/updatedb
-rwx------ root/root     42952 2001-12-26 21:37:57 bin/vdir

[root@angel tuxkit-1.0]# less cfg.tgz 
-rw------- root/root        17 2001-11-11 19:12:19 cfg/.addr
-rw------- root/root        69 2001-11-12 23:06:32 cfg/.cron
-rw------- root/root        67 2001-12-27 20:54:23 cfg/.file
-rw------- root/root        13 2001-12-27 20:54:47 cfg/.log
-rw------- root/root       116 2001-12-27 20:55:29 cfg/.proc

[root@angel tuxkit-1.0]# less sshd.tgz
-rw------- virus/virus     828 2001-12-13 00:22:12 ssh2/hostkey
-rw------- virus/virus     697 2001-12-13 00:22:12 ssh2/hostkey.pub
-rw------- virus/virus     503 2001-12-27 20:43:12 ssh2/logo
-rw------- virus/virus     512 2001-12-13 23:51:33 ssh2/random_seed
-rwx------ virus/virus 1040220 2002-01-06 00:05:58 ssh2/sshd
-rw------- virus/virus     647 2001-12-27 22:42:20 ssh2/sshd2_config

[root@angel tuxkit-1.0]# less lib.tgz 
lrwxrwxrwx root/root         0 2001-11-11 02:49:02 lib/libproc.so -> libproc.so.
2.0.7



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH