Scan13, Max Vision <email@example.com>
1. What is the blackhat attempting to do with his command line syntax?
The intruder creates an obscure directory as a workspace (/usr/sbin/.mail) and downloads the LUCKROOT toolset from another web server under control of the attacker (becys.org). The filename is misleading as it is actually a gziped tar (.tar.gz or .tgz). The intruder extracts the tools and runs the luckgo script several times against various networks. The networks targeted were most likely randomly entered, however they map to the following:
Notice that the attacker would have scanned roughly 196k unallocated
IP's (and 65k of those scanned twice) had the Honeynet firewall allowed the
outbound connections, a considerable waste of resources and a clear illustration
that much of the script kiddie behavior is random. Worse still, though less
illustrative of their inefficiency, is that they would have scanned roughly
655k IPs in allocated space, possibly compromising hundreds of machines. A complete
lists of affected networks is available upon request (firstname.lastname@example.org),
but anyone can look these allocations up from ARIN.
2. What does the tool accomplish?
LUCKROOT is an exploit package composed of the following tools:
3. How does the tool work?
luckgo is a shell script that runs the scanner against a target network. The attacker runs the luckgo script with the first two octets of their intended victim network as the parameter. For example if they wished to scan and exploit 10.10.0.0/16, they would type "./luckgo 10 10". luckgo runs the scanner luckscan-a, which in turn runs the exploit luckstatdx against each target IP that is determined to have the portmap service running. The scanner makes no attempt to determine the operating system type or version before launching the exploit, so this shotgun approach is basically a blind mass-attack.
When a vulnerable target is found, the rpc.statd exploit is run against the
host causing certain shell commands to be run on the remote server. These commands
cause the victim to download and install a rootkit called "xzibit",
which replaces system commands with the intention of hiding the intruder's presense
and allowing remote access.
4. Is this tool a worm, or would you classify it as something else?
LUCKROOT is not a worm because it lacks an automated infection mechanism. This
tool is used manually by an attacker to scan large network blocks for the rpc.statd
vulnerability and exploit potential targets. This tool is a "scripted scan
and exploit package".
5. Is this tool original, or is it simply based on previous tools? If based on previous tools, which ones and what is modified?
All tools in the LUCKROOT package are slight variations of existing tools. In the underground community this is called "ripping" and is an all-too-often occurance where one person takes "credit" for the work of another.
What information can you obtain about who is using or created the tool?
The source IP address used in the attack wasn't shown in the challenge, but there are numerous clues to consider about the tool author from analysis of the tool.
Where the tools came from: The LUCKROOT.TAR package is downloaded from becys.org, a site which has only a shockwave intro with no further content. Inspection of the domain record shows that the domain was created last year using suspicious information - for example I called the contact phone number listed and the person had no idea about the becys.org domain. The contact address email@example.com address shows up in the domain record and firstname.lastname@example.org in the attack tool. Since the rootkit is still available for download from becys.org, it is somewhat likely that this host is controlled by the attacker (apparently BeCyS).
Credits in the attack tools: BeCyS, ReSpEkT, and coSes are mentioned in the tools as authors or references. I looked for each name in the large IRC networks, and found ReSpEkT on Undernet. I asked about BeCyS and through five minutes conversation was told that there are feuds between them and that BeCyS may have dropped ReSpEkT's name to get him in trouble. There was nothing conclusive here as it may all be the same individual, thought it would imply a higher level of deception and forethought than is evidenced by the use of the attack tools. ReSpEkT was in a channel with known Romanian blackhats who we have seen attack the honeynet before.
Rootkit configuration files: There are some preset variables in the xzibit.tar.gz rootkit downloaded from becys.org. Three address ranges are specified that will cause the trojaned system utilities to ignore traffic from certain networks, which are all in Romainia. One is the Romainian Education Network, and the other two appears to be .ro ISPs. Again assuming the attacker or attackers lack the sophistication to employ an elaborate decoy or framing operation, this would indicate the intruder is connecting from Romainia.