Honeynet Scan of the month, Scan 15

I was given a task to complete HoneyNet Scan of the month -challenge, Scan #15. The challenge is stated below and some keywords for the scan would be forensic analysis (data-analysis of malicious acts) and rootkit (set of malicious scripts / softwares)

As a bonus task, one should explain step by step how the rootkit works and search for clues of the creator.

Environment

I’ll be using Vagrant for this job, because it’s easy to test this kind of things without messing up your own computer

Here is a quick guide how to setup Vagrant on your computer

I added these 2 lines in my Vagrantfile so I can locally test my apache configurations from given ip address

 config.vm.network "private_network", ip: "192.168.33.25"
 config.vm.hostname = "honeynet15"

My hardware is Macbook Pro (mid-2014) and Vagrant installation will be Ubuntu 14.04 64-bit

Operating system: OSX Yosemite

The Challenge:
On 15 March. 2001, a Linux honeypot was successfully compromised, a rootkit was download to the / partition and then deleted from the system. Your mission is to find and recover the deleted rootkit. If you are not sure where to begin on conducting this forensic analysis and recover the rootkit, we highly reccommend you start with the Forensic Challenge. The steps you will have to follow for the rootkit recovery are similar to the steps discussed there. We have posted only the / partion for download to keep this challenge simple. The compressed image is 13MB, (honeynet.tar.gz)MD5=0dff8fb9fe022ea80d8f1a4e4ae33e21. Once you have downloaded, untarred, and unzipped the partition image, it will be 255 MB and the checksum should be MD5=5a8ebf5725b15e563c825be85f2f852e.

  1. Show step by step how you identify and recover the deleted rootkit from the / partition.
  2. What files make up the deleted rootkit?

Bonus Question:
Was the rootkit ever actually installed on the system? How do you know?

Doing the challenge

Everything I do and report here is done in real-time. I’m starting the challenge on 17:50 on September 14.

Setting up the environment

First I’ll download the file from their website. (you can also directly wget the file from the url with ‘wget http://old.honeynet.org/scans/scan15/honeynet.tar.gz’)

Next I’ll move it to my vagrant box’s folder and vagrant-scp it into the virtual machine.

vagrant scp honeynet.tar.gz 358bdc9:/home/vagrant

Then I’ll ssh into the VM (vagrant ssh) and start analysing.

Untar files

First I’ll untar the file (x = extract, v=verbose, f=file)

tar xvf honeynet.tar.gz

Next I will go into the extracted folder and it looks like this

vagrant@honeynet15:~/honeynet$ tree
.
|-- honeypot.hda8.dd
`-- README

As you can see, there is an image file (dd) and that is the analyzation target

Retrieving undeleted and deleted files from DD-image

 

In Teros website there is a good explanation how to recover undeleted and deleted files from the DD-image. First I’ll create folders called allocated and deleted, then I’ll extract data from DD-image (dependency: sudo apt-get install sleuthkit)

mkdir allocated deleted
tsk_recover -a honeypot.hda8.dd allocated/
tsk_recover honeypot.hda8.dd deleted/

These commands will recover all the files from the image into these folder. (-a flag is for allocated (undeleted) files, without flags it extracts the unallocated files)

Analyzing recovered files and searching for the rootkit

In the deleted files I found a lk.tgz file which really confused me, because normally there ain’t any tar files in root (/) folder. Next I’ll untar that and we’ll see what is inside.

tar xvf lk.tgz

It extracted folder called last with following content

vagrant@honeynet15:~/honeynet/deleted/last$ tree
.
|-- cleaner
|-- ifconfig
|-- inetd.conf
|-- install
|-- last.cgi
|-- linsniffer
|-- logclear
|-- lsattr
|-- mkxfs
|-- netstat
|-- pidfile
|-- ps
|-- s
|-- sense
|-- services
|-- sl2
|-- ssh
|-- ssh_config
|-- sshd_config
|-- ssh_host_key
|-- ssh_host_key.pub
|-- ssh_random_seed
`-- top

With ls -la command I can see that install was the last file that was edited and also the name install intrigues me

I open the content of the file with cat (cat install) command and it is getting clear to me that this is the install file of the rootkit.

What the rootkit does

First in the top of the file, there are some declarations / taunting of the author (some swearing and suggestion of sucking on something) and clear notification that it is a rootkit.

What the rootkit actually does is, it first goes through what components are installed (make, gcc, sshd)

Next it’ll try to remove old configuration files (for example ifconfig, netstat..) and move its own files into their places. Also it tries to change add content in /dev/rpm file (rpm is package manager of redhat distributions)

There are some IP addresses and port numbers it tries to copy  into /dev/last file. Googling the first ip, it seems that it’s located in Romania.

After this it copies it’s other shell commands into /dev/ida/.drag-on and /dev/ida”.. ” folders and then removes the original ones (tries to be cunning with folder names)

Next it tries forcefully to copy some configuration files into /etc (services and inetd.conf) and remove some shell scripts from /usr/bin/ folder. Also it tries to insert it own shell scripts in to previous folder.

Last malicious act it tries to do, is to copy last.cgi file into any installed Web Server (.cgi because it was year 2001). After that it tries to send via email hardware information into these two email adresses (clues of the creator):

bidi_damm@yahoo.com
last@linuxmail.org

And also it removes all the original files with

rm -rf last lk.tgz computer lk.tar.gz

Let’s find out if this particular computer was affected by rootkit

So now that we know how the installation of rootkit works, we can check if any or some of these malicious acts were done to the computer

By doing sha25sum command into ../allocated/sbin/ifconfig, and comparing that to the rootkits sha256sum of its ifconfig file, I can see that it was copied from the original rootkit folder, because the sum matches.

After checking out some other files I can be sure that the computer was affected by the rootkit

Authors comments

This challenge was indeed quite intriguing. I really enjoyed studying how to recover files off of an image file and how some simple malicious acts could be done.

This is the first time I’ve ever seen and studied a rootkit.

The task was done and reported on 19:50, 2 hours in total.

Edited: way of comparing files

Resources

HoneyNet website

Wikipedia, Rootkit & Forensic Analysis explinations

Tero Karvinen, course Linux as a server

Tero Karvinen, Forensic File Recovery

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s