bobkit analysis by William Stearns of the Institute for Security Technology Studies. Author sArGeAnt wrote the package. Probably speaks dutch; see IRC lines from http://www.securiteam.com/exploits/6R00M1F0AI.html and http://cert.uni-stuttgart.de/archive/bugtraq/2000/11/msg00265.html nog een keer sukkel en je ken es lekker kijken hoe packetjes je modem binnen komen which translates to: here, once more, dumbass and then you can take a nice look at how those packets enter your modem http://www.bedford.net/teep60.htm reviews Sargeant's tool kit. Overview Bobkit appears to be a rootkit; a collection of programs installed on a system once an attacker has acquired root access on an attacked system. This one appears to include an ssh backdoor, an adore Linux kernel module and a Tribe Flood Net slave. It is able to update itself by downloading new versions or additional code from two known URL's at free web site hosting companies. Both companies have been contacted and have verified that the sites in question have been disabled, preventing future bobkits from updating themselves from these sites. Recent versions of the kit install themselves to "/usr/include/..." (note the three dots). Older versions installed themselves to /tmp/.bkp . /usr/include/... is the home directory for the attackers logins. Some of the binaries included in the kit are compressed with what appears to be a custom compiled version of the UPX executable compressor. Stock copies of UPX are not able to decompress the binaries, implying that the compression process has been modified to hide the contents of the binary. File Summary Here are the files used in this tool and their uses. .bash_history Symlink to /dev/null to avoid saving any command history bkit-adore.o Adore kernel module bkit-ava Adore kernel module control tool bkit-d Insert adore kernel module, copy /etc/rc.d/rc.{local,modulas} back and forth to each other. bkit-dl Downloader script that uses bkit-get to pull down new/additional files from free web space sites. Downloads files, untars them, and removes the originals. Runs bkit-seal afterwards if pulled down; this is not in the base tar. bkit-f Looks like Tribe Flood Net (see http://www.sunmanagers.org/pipermail/summaries/2001-April/000494.html and http://www.cert.org/incident_notes/IN-99-07.html ) bkit-get UPX compressed URL downloader. It appears that "bkit-get URL" downloads to the same filename in the current directory. bkit-mc calls midnight commander (mc) then removes the MC history file bkit-patch pulls down new version of code from free web sites. bkit-patches program inside bkit-patches.tgz, run after latter opened up. bkit-patches.tgz downloaded from free web sites. Updates to the code, probably. bkit-pw not sure, probably a backdoor password for ssh bkit-screen Symlink to /usr/bin/screen. By using a symbolic link, the attacker can hide any running instances of screen started with bkit-screen with the adore kernel module, while allowing normal screen instances to stay visible in a task list. bkit-seal pulled down inside of downloaded tar; probably uses the adore kernel module to hide itself. bkit-shd Custom compiled ssh server bkit-shd.pid Probably the sshd pid file bkit-shdcfg config file for rootkit-supplied sshd. Uses port 5454/tcp, allows root logins, allows empty passwords bkit-shhk SSH private key bkit-shrs 512 bytes, probably the ssh random seed. bkit-sleep Symlink to /bin/sleep. By using a symbolic link, the attacker can hide any running instances of sleep started with bkit-sleep with the adore kernel module, while allowing normal sleep instances to stay visible in a task list. core Symlink to /dev/null to avoid saving any coredumps du du replacement find find replacement ls ls replacement lsof lsof replacement netstat netstat replacement nohup.out Symlink to /dev/null to avoid saving the output from any background jobs psr ps replacement pstree pstree replacement top top replacement, upx compressed slocate slocate replacement uconf.inv not sure Credits Many thanks to Matt Fearnow for the original code and Vincent Berk for the translation. This advisory was written by William Stearns of the Institute for Security Technology Studies. Revision History 0.1 First release for review 1/23/2002