[Ilugc] CERT Advisory : SSHD root kit targeting Linux Systems

Tue, 12 Mar 2013 08:36:38 -0700 

QUOTE

Attacks through SSHD root kit targeting Linux Systems
http://www.cert-in.org.in/

It has been reported that a USER-mode root kit is in the wild targeting
major Linux flavors (majorly RPM based) which logs user names and password
pairs that are sent to the network and sent across the attacker controlled
domains  randomly generated- and additionally opening a backdoor onto
the system.

The rootkit apparently replaces the library libkeyutils with a trojanised
version as

"       /lib64/libkeyutils.so.1.9 (64bit)
"       /lib/libkeyutils.so.1.9 (x86).
It changes the links lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1 to
point malicious library therafter.

The malware is capable of:
"       stealing passwords, ssh keys & /etc/shadow from the system and sent to
remote IP hard coded in the file
"       used as a backdoor to access server at any time
"       sending out spam mails

Detection

The library is normally found in /lib (/lib64)and hence can be traced by
the package manager and possibly outputs "file /lib64/libkeyutils.so.1.9 is
not owned by any package" for apparent rooted box.
"       For instance:
on RHEL
rpm -qfV /lib*/libkeyutils* /(file /lib64/libkeyutils.so.1.9 is not owned
by any package---this is a symptom )


"       Debian /ubuntu ( not reported as of now)

dpkg -l libkeyutils*
dpkg -L libkeyutils* (list the files associated with)


"        The malicious library has specific network related strings embedded
which can be verifed by using the strings /lib64/libkeyutils.so.1.3 and
'grep' ing for gethostbyname|connect|socket|inet_ntoa|send strings and the
genuine library is normally having no bussiness with these strings.
run in the terminal

strings /lib/libkeyutils.so.1.9 | grep
gethostbyname|connect|socket|inet_ntoa|send strings /lib/libkeyutils.so.1.3
| grep gethostbyname|connect|socket|inet_ntoa|send



"       Interprocess communication is reported as achieved through shared
memory, if the system is rooted, SSHD owned memory may be seen.
"       Some of the known and in wild samples are:
o       libkeyutils.exe
o       vti-rescan
o       471EE431030332DD636B8AF24A428556EE72DF37
o       471ee431030332dd636b8af24a428556ee72df37_libkeyutils.so.1.9
o       ecea5cc15532ffac4b8159bf860c63c1

"         the fuzzy hashing can help detect the similarly matching files:
ssdeep:768:KkGyZKfTRlHCxuT965gvghuBec2X4yxE9rW7owJ:tZKtELEFW7o+
"       occurrence of many sleep processes (lsof may reveal), sleeps may be
running from SSH, and check the SSH_CONNECTION environment variable (not
tested)

Recommendations
"       Remove the malicious library and restart SSH server, run the below
given in shell prompt
o       # rm lib/libkeyutiils.so.1.9 /lib/libkeyutils.so.1
o       #ln -sf /lib/libkeyutiils-1.3.so /lib/libkeyutiils.so.1
o       #sync
o       #echo 'b' >/proc/sysrq-trigger / simulate a hard power cut to ensure the
rootkit cant reroot it its memory resident (not tested)
"       Change all credentials, SSH passwords, Web Host manager -WHM(cpanel),
and any other admin passwords on the server.
"       Prevent Access of SSH from outside- firewall it, allow only the
trusted.
"       Nessus released a plugin to detect the rootkit
o       http://www.tenable.com/plugins/index.php?view=single&id=64913
"       Keep update the system as well as the 3rd party applications. (java,
flash in particular)
"       Changing the LOGLEVEL to verbose. It is learnt that the ssh connections
specific to these rootkits are not logged in the SSH log files
(/var/log/secure) or (/var/log/auth) . Hence recommended to enable the
verbose logging mechanisms (set loglevel to versbose /etc/ssh/sshd_config
and (in ubuntu box))
"       Consider installing snoopy logger which logs all the commands issued
(http://sourceforge.net/projects/snoopylogger/)
"       Monitor the traffic to random domains (.biz, .info and .net domains,
78.47.139.110 (hard coded and XOR ed )  over port 53/UDP, the
communication is mostly encrypted

"       Run Linux Anti-malware solution
"       Keep up-to-date the system as well as the 3rd party applications (java,
flash)
References
https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
http://www.cloudlinux.com/blog/clnews/sshd-exploit.php


UNQUOTE

Take your own precautions.
....forwarded by Partha








_______________________________________________
ILUGC Mailing List:
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc

Reply via email to