ld.so.preload Root Kit

From: Gideon Lenkey (glenkey@infotech-nj.com)
Date: 01/11/02


Date: Thu, 10 Jan 2002 22:11:06 -0500 (EST)
From: Gideon Lenkey <glenkey@infotech-nj.com>
To: <incidents@securityfocus.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ld.so.preload ROOT KIT:
=======================

SYNOPSIS:
- ---------

An unusual root kit was observed on a research honeypot. This root kit uses a
shared library (libshow.so) rather than trojan binaries to hide the intruders
activity. It adds an entry to the /etc/ld.so.preload file (or creates it if
it's absent) which causes the system to preload this shared library every time
a dynamically linked application is run. This library filters out specific
file, process and network information. Although not unheard of, this kit
would seem to present a significant threat.

The machine was a a basic pentium Lintel box running stock Redhat 7.0.
It was compromised with an ftp buffer overflow.

SEQUENCE OF EVENTS:
- -------------------

SNORT reports a buffer overflow:

- -------------------------------------------------------------------------

attacks from to method
=========================================================================
   420 134.184.43.10 1.1.1.1 FTP EXPLOIT stat overflow : {TCP}
   420 134.184.43.10 1.1.1.1 FTP wu-ftp file completion attempt { {TCP}
   1 134.184.43.10 1.1.1.1 FTP wu-ftp file completion attempt [ {TCP}

- -------------------------------------------------------------------------

An incident handler on duty runs the aide (file checksum) application
and finds discrepancies in the file system (aide output edited and
cleaned):

- -------------------------------------------------------------------------

added:/etc/ld.so.preload
added:/lib/libZ.a
added:/lib/libZ.a/DISCLAIMER
added:/lib/libZ.a/log
added:/lib/libZ.a/log/sniff
added:/lib/libZ.a/log/pid.zdsnf.eth0
added:/lib/libZ.a/tmp
added:/lib/libZ.a/bin
added:/lib/libZ.a/bin/rkpasswd
added:/lib/libZ.a/bin/findkit
added:/lib/libZ.a/bin/ldd
added:/lib/libZ.a/bin/ld-linux
added:/lib/libZ.a/bin/checkrk
added:/lib/libZ.a/bin/bincheck
added:/lib/libZ.a/bin/lcheck
added:/lib/libZ.a/sbin
added:/lib/libZ.a/sbin/zdcrond
added:/lib/libZ.a/sbin/in.sshd
added:/lib/libZ.a/sbin/sshd_chk
added:/lib/libZ.a/sbin/ssh-keygen
added:/lib/libZ.a/sbin/zdsnf
added:/lib/libZ.a/sbin/zdsnf_chk
added:/lib/libZ.a/sbin/zdsshd.pid
added:/lib/libZ.a/etc
added:/lib/libZ.a/etc/cron
added:/lib/libZ.a/etc/file
added:/lib/libZ.a/etc/host
added:/lib/libZ.a/etc/log
added:/lib/libZ.a/etc/proc
added:/lib/libZ.a/etc/primes
added:/lib/libZ.a/etc/rkp
added:/lib/libZ.a/etc/sshd_config
added:/lib/libZ.a/etc/ssh_host_key
added:/lib/libZ.a/etc/ssh_host_key.pub
added:/lib/libZ.a/etc/ssh_host_dsa_key
added:/lib/libZ.a/etc/ssh_host_dsa_key.pub
added:/lib/libZ.a/etc/ssh_host_rsa_key
added:/lib/libZ.a/etc/ssh_host_rsa_key.pub
added:/lib/libZ.a/.common
added:/lib/libZ.a/.profile
added:/lib/libZ.a/.cshrc
added:/lib/libshow.so.0.9.5
added:/lib/libshow.so
changed:/lib

- -------------------------------------------------------------------------

No trojan binaries were observed in the aide output. A system copy of
lsof was used in an attempt to determine if any unusual processes,
network listeners or files were present. All attempts to see the files
listed in the aide output failed.

The aide program was rerun in an attempt to confirm the initial
findings. This run produced identical results.

At that point, the machine was shutdown and booted from a jump kit(2) CD and
the root partition system mounted from a different mount point. From this
vantage point the root kit was completely visible.

ANALYSIS:
- ---------

The kit hides the intruder by preloading a shared library. This library,
libshow.so.0.9.5, appears to prevent any dynamically linked applications
using the system libraries from seeing specified files, processes and
network information.

The kit includes a sniffer, a cron process and an sshd back door which
appears to randomize it's listening TCP port. The cron process appears to
be used as a keepalive for the trojan sshd and sniffer in the event of a
reboot.

The installation is performed by a binary application.

Contents of the root kit file 'zdlk.wav':

        zdlk-0.9.5/
        zdlk-0.9.5/rmkit2
        zdlk-0.9.5/libshow.so.0.9.5
        zdlk-0.9.5/zd
        zdlk-0.9.5/install
        zdlk-0.9.5/DISCLAIMER
        zdlk-0.9.5/README
        zdlk-0.9.5/INSTALL
        zdlk-0.9.5/CHANGES
        zdlk-0.9.5/homedir.tar
        zdlk-0.9.5/wted

Further analysis is ongoing at this time.

HOW TO DETERMINE IF YOU ARE INFECTED:
- ------------------------------------

Here are several simple ways to tell if you are infected:

1) Try to touch /tmp/libshow.so :

        bash# touch /tmp/libshow.so
        touch: /tmp/libshow.so: Permission denied

If libshow is on your system, it will try to protect that file name and
you will get a 'Permission denied' message.

2) Load 'sash'(3), the Stand Alone Shell, and use its internal file
commands to look for the libraries:

        sh# sash
        Stand-alone shell (version 3.4)
> ls -l /etc/ld.so.preload
        ls: /etc/ld.so.preload: No such file or directory

> -ls -l /lib/libshow.so
        lrwxrwxrwx 1 root root 21 Jan 10 16:52 libshow.so

> -ls -l /etc/ld.so.preload
        -rw-r--r-- 1 root root 21 Jan 10 16:52 ld.so.preload

Putting the dash "-" in front of the command uses sash's internal
commands. /lib/libshow.so and /etc/ld.so.preload are now clearly
visible.

3) Use (or make) staticly linked binary utilities (ls, mv, rm, lsof etc.)
from your Jump Kit(2) CD to look for the above files.

4) Boot your system from the installation CD, enter rescue mode, mount the
file system and look for the above mentioned files.

- -->> NOTE: CHKROOT KIT(5) WILL NOT PRESENTLY DETECT THIS ROOT KIT! <<--

CLEANING THIS ROOT KIT:
- ----------------------

Using sash, static binaries or booting from your rescue CD, move the
offending /etc/ld.so.preload file into /tmp and run ldconfig (or better
yet reboot).

You can now *see* the hidden files.

Remove the files:
        bash# rm -rf /lib/libshow.so.0.9.5
        bash# rm -rf /lib/libshow.s

Remove the directory:
        bash# rm -rf /lib/libZ.a

Restore anything legitimate you may have had (but probably not) in
/etc/ld.so.preload and reboot the system. Retest for this and other
goodies.

SOURCES:
- --------

(1) AIDE
        http://www.cs.tut.fi/~rammer/aide.html

(2) Jump Kit HOWTO
        http://www.infotech-nj.com/papers/JumpKit_HOWTO.txt

(3) SASH
        http://www.canb.auug.org.au/~dbell/

- --Gideon
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8PlfRH1ef35JVa+wRAtOJAKCu4q7J7cXGCEIscJezMk3eAVoU1wCfa+0U
jpuYh0CZsW/TLa7Ob1ZoI9Y=
=sWr7
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • ld.so.preload Root Kit (repost old news)
    ... across this root kit in the wild recently and was concerned that there ... No trojan binaries were observed in the aide output. ... commands to look for the libraries: ...
    (comp.os.linux.security)
  • Re: rootkit & re image from partition
    ... Gaobot/Agobot/Phatbot is a trojan horse with rootkit capabilities. ... First you're whining about how it's a root kit, NOW it's just a Trojan ...
    (alt.computer.security)