There are a lot of discussions at the moment about a SSHD rootkit hitting mainly RPM based Linux distributions.
Thanks to our reader unSpawn, we received a bunch of samples of the rootkit. The rootkit is actually a trojanized library that links with SSHD and does *a lot* of nasty things to the system.
At this point in time we still do not know what the initial attack vector is it is unknown how the attackers get root access on the compromised servers that is needed to change the legitimate libkeyutils library with a trojanized one. We are, of course, keeping an eye on the development and will post a new diary or update this one if we receive more information about the attack vectors.
The trojanized library is very, very nasty. Upon execution it performs a number of actions, as described below.
The code first deobfuscates the text strings needed for it to work. The original text is only XORed so this is very easy to retrieve and the deobfuscated strings have already been posted on a lot of sites.
Once that has been done, the library sets up everything needed for it to work. It resolves symbols for the following functions which are used later: PEM_write_RSAPrivateKey, PEM_write_DSAPrivateKey, MD5_Init, MD5_Update, and MD5_Final. As you can already see, it is definitely messing up with the authentication mechanism.
Besides resolving the symbols, the library also hooks the following functions: pam_authenticate, pam_start and crypt as well as audit_log_user_message and audit_log_acct_message. By hooking these functions, the rootkit can modify the flow of the SSHD as you can see, this is a user-mode rootkit, as it does not affect the kernel.
The main activity of the rootkit consists in collection of credentials of authenticated users. Notice that the rootkit can steal username and password pairs as well as RSA and DSA private keys, so no matter which authentication mechanism you use, if the target host is infected it will successfully steal your information. The hooking of audit_log* functions was done to allow the attacker to stay as low profile as possible if the attacker uses the hardcoded backdoor password to issue any commands to the rootkit, no logs will be created.
The current version of the rootkit supports three commands: Xver, Xcat and Xbnd. The first command just prints the rootkit the Xcat commands print the collected information back in the session for the attacker while the Xbnd command allows the attacker to setup a listener.
Besides this, the rootkit can automatically send collected credentials to the attacker. In order to do this the rootkit has a DGA (Domain Generation Algorithm) implemented that will create random looking domain names in the .biz, .info and .net domains (in that order). It will then send a DNS packet containing collected credentials to the target IP address, if it was able to resolve it (meaning the attacker has registered that days domain). If no domains have been resolved, the DNS packet is sent to the hard-coded IP address, which in all samples we received was 220.127.116.11.
The rootkit itself looks very similar to the Ebury trojan which was detected back in 2011. In fact, Im pretty sure that a lot of the code has been directly copied, however, the Ebury trojan patched the whole SSHD and required the attacker to change it.
This was easier to detect and prone to being overwritten with patching. The libkeyutils library, which comes as part of the keyutils-libs package is not changed that often so the chance of it being overwritten automatically is much lower.
If you run a RPM based system you can check the integrity of the file with the rpm command:
# rpm -Vv keyutils-libs-1.2-1.el5
........ d /usr/share/doc/keyutils-libs-1.2/LICENCE.LGPL
This will check a lot of things, the most important being the MD5 checksum so if you see the output as one above you have a trojanized library. Proper output should have all (and only) dots. Keep in mind that the RPMs verification, of course, depends on the integrity of its database and the kernel itself.
We will keep an eye on the development and will update the diary accordingly if you have samples or more information, especially on what the initial attack vector is please let us know.
Id like to thanks again to unSpawn for supporting the SANS ISC.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.