I was given a task to complete HoneyNet Scan of the month -challenge, Scan #15. The challenge is stated below and some keywords for the scan would be forensic analysis (data-analysis of malicious acts) and rootkit (set of malicious scripts / softwares)
As a bonus task, one should explain step by step how the rootkit works and search for clues of the creator.
I’ll be using Vagrant for this job, because it’s easy to test this kind of things without messing up your own computer
Here is a quick guide how to setup Vagrant on your computer
I added these 2 lines in my Vagrantfile so I can locally test my apache configurations from given ip address
config.vm.network "private_network", ip: "192.168.33.25" config.vm.hostname = "honeynet15"
My hardware is Macbook Pro (mid-2014) and Vagrant installation will be Ubuntu 14.04 64-bit
Operating system: OSX Yosemite
On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was download to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB, (honeynet.tar.gz)MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.
- Show step by step how you identify and recover the deleted rootkit from the / partition.
- What files make up the deleted rootkit?
Was the rootkit ever actually installed on the system? How do you know?
Doing the challenge
Everything I do and report here is done in real-time. I’m starting the challenge on 17:50 on September 14.
Setting up the environment
First I’ll download the file from their website. (you can also directly wget the file from the url with ‘wget http://old.honeynet.org/scans/scan15/honeynet.tar.gz’)
Next I’ll move it to my vagrant box’s folder and vagrant-scp it into the virtual machine.
vagrant scp honeynet.tar.gz 358bdc9:/home/vagrant
Then I’ll ssh into the VM (vagrant ssh) and start analysing.
First I’ll untar the file (x = extract, v=verbose, f=file)
tar xvf honeynet.tar.gz
Next I will go into the extracted folder and it looks like this
vagrant@honeynet15:~/honeynet$ tree . |-- honeypot.hda8.dd `-- README
As you can see, there is an image file (dd) and that is the analyzation target
Retrieving undeleted and deleted files from DD-image
In Teros website there is a good explanation how to recover undeleted and deleted files from the DD-image. First I’ll create folders called allocated and deleted, then I’ll extract data from DD-image (dependency: sudo apt-get install sleuthkit)
mkdir allocated deleted tsk_recover -a honeypot.hda8.dd allocated/ tsk_recover honeypot.hda8.dd deleted/
These commands will recover all the files from the image into these folder. (-a flag is for allocated (undeleted) files, without flags it extracts the unallocated files)
Analyzing recovered files and searching for the rootkit
In the deleted files I found a lk.tgz file which really confused me, because normally there ain’t any tar files in root (/) folder. Next I’ll untar that and we’ll see what is inside.
tar xvf lk.tgz
It extracted folder called last with following content
vagrant@honeynet15:~/honeynet/deleted/last$ tree . |-- cleaner |-- ifconfig |-- inetd.conf |-- install |-- last.cgi |-- linsniffer |-- logclear |-- lsattr |-- mkxfs |-- netstat |-- pidfile |-- ps |-- s |-- sense |-- services |-- sl2 |-- ssh |-- ssh_config |-- sshd_config |-- ssh_host_key |-- ssh_host_key.pub |-- ssh_random_seed `-- top
With ls -la command I can see that install was the last file that was edited and also the name install intrigues me
I open the content of the file with cat (cat install) command and it is getting clear to me that this is the install file of the rootkit.
What the rootkit does
First in the top of the file, there are some declarations / taunting of the author (some swearing and suggestion of sucking on something) and clear notification that it is a rootkit.
What the rootkit actually does is, it first goes through what components are installed (make, gcc, sshd)
Next it’ll try to remove old configuration files (for example ifconfig, netstat..) and move its own files into their places. Also it tries to change add content in /dev/rpm file (rpm is package manager of redhat distributions)
There are some IP addresses and port numbers it tries to copy into /dev/last file. Googling the first ip, it seems that it’s located in Romania.
After this it copies it’s other shell commands into /dev/ida/.drag-on and /dev/ida”.. ” folders and then removes the original ones (tries to be cunning with folder names)
Next it tries forcefully to copy some configuration files into /etc (services and inetd.conf) and remove some shell scripts from /usr/bin/ folder. Also it tries to insert it own shell scripts in to previous folder.
Last malicious act it tries to do, is to copy last.cgi file into any installed Web Server (.cgi because it was year 2001). After that it tries to send via email hardware information into these two email adresses (clues of the creator):
And also it removes all the original files with
rm -rf last lk.tgz computer lk.tar.gz
Let’s find out if this particular computer was affected by rootkit
So now that we know how the installation of rootkit works, we can check if any or some of these malicious acts were done to the computer
By doing sha25sum command into ../allocated/sbin/ifconfig, and comparing that to the rootkits sha256sum of its ifconfig file, I can see that it was copied from the original rootkit folder, because the sum matches.
After checking out some other files I can be sure that the computer was affected by the rootkit
This challenge was indeed quite intriguing. I really enjoyed studying how to recover files off of an image file and how some simple malicious acts could be done.
This is the first time I’ve ever seen and studied a rootkit.
The task was done and reported on 19:50, 2 hours in total.
Edited: way of comparing files
Tero Karvinen, Forensic File Recovery