The Tuxtendo's Tuxkit Rootkit Analysis

posted onMarch 18, 2002
by hitbsecnews

By: spoonfork (spoonfork@hackinthebox.org)

--] Introduction

The following is an analysis of the Tuxkit rootkit, written by a Dutch group
called Tuxtendo. This rootkit was found in one of the honeypots that we
set up. The honeypot was a stock installation of Redhat 7.0, with a few
services running. None of the software, such as named, sendmail and the
printer daemon were patched.

There are three versions of the rootkit that are available on
Tuxtendo's website. They are tuxkit.tgz, tuxkit-1.0.tgz, and tuxkit-short.tgz.
Both tuxkit.tgz and tuxkit-1.0.tgz have the same contents, while
tuxkit-short.tgz contains less tools.

I've also tested some of tuxkit's binaries on Redhat 7.1, and they seemed to
work fine.

The following are the contents of each tuxkit. This analysis will focus on
tuxkit-1.0.tgz, the one that was found on our honeypot. The rootkit was
developed by Argv[], possibly modified from and based on the t0rn rootkit. The
timestamp of the rootkit was December 2001. Googling for "tuxkit analysis"
did not produce any hits, so I guess that this rootkit is pretty new.

NOTE: chkrootkit failed to detect tuxkit.

--] Packages

[root@angel tuxkit-1.0]# ls -l ../tuxkit (tuxkit.tgz)
total 2600
-rw------- 1 sfork sfork 502884 Dec 5 07:55 bin.tgz
-rw------- 1 sfork sfork 406 Dec 5 07:55 cfg.tgz
-rw------- 1 sfork sfork 16213 Dec 5 07:55 lib.tgz
-rw------- 1 sfork sfork 3684 Dec 5 07:55 README
-rw------- 1 sfork sfork 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 sfork sfork 1644819 Dec 5 07:55 tools.tgz
-rwx------ 1 sfork sfork 9489 Jan 6 00:53 tuxkit

[root@angel tuxkit-1.0]# ls -l ../tuxkit-1.0 (tuxkit-1.0.tgz)
total 2600
-rw------- 1 sfork sfork 502884 Dec 5 07:55 bin.tgz
-rw------- 1 sfork sfork 406 Dec 5 07:55 cfg.tgz
-rw------- 1 sfork sfork 16213 Dec 5 07:55 lib.tgz
-rw------- 1 sfork sfork 3684 Dec 5 07:55 README
-rw------- 1 sfork sfork 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 sfork sfork 1644819 Dec 5 07:55 tools.tgz
-rwx------ 1 sfork sfork 9489 Jan 6 00:53 tuxkit

[root@angel tuxkit-1.0]# ls -l ../tuxkit-short (tuxkit-1.0-short.tgz)
total 1556
-rw------- 1 1001 1001 502884 Dec 5 07:55 bin.tgz
-rw------- 1 1001 1001 406 Dec 5 07:55 cfg.tgz
-rw------- 1 1001 1001 16213 Dec 5 07:55 lib.tgz
-rw------- 1 1001 1001 3684 Dec 5 07:55 README
-rw------- 1 1001 1001 461892 Jan 6 00:06 sshd.tgz
-rw------- 1 1001 1001 577089 Jan 6 01:12 tools.tgz
-rwx------ 1 1001 1001 9489 Jan 6 00:53 tuxkit

--] tuxkit-1.0.tgz

There are six files in the tuxkit which includes a README, an installation
script, and four tarred/zipped files.

The following are the contents of the individual files in the tuxkit.

- bin.tgz - contains precompiled trojan binaries
- cfg.tgz - contains tuxkit's configuration files
- lib.tgz - contains libproc libraries, for process hiding purposes
- sshd.tgz - contains precompiled sshd, complete with sshd_config
- tools.tgz - contains an arsenal of tools (duh!) for the skrip kiddie
who don't know how to get their own tools. The tools are:

[root@angel tools]# ls -la
total 44
drwxr-xr-x 11 root root 4096 Mar 1 13:14 .
drwxr-xr-x 4 root root 4096 Mar 1 13:14 ..
drwx------ 2 root root 4096 Nov 12 20:50 bitchx
drwx------ 2 root root 4096 Dec 12 23:59 dos
drwx------ 2 root root 4096 Nov 12 20:57 mirkforce
drwx------ 2 root root 4096 Nov 12 20:57 nmapv
drwx------ 8 root root 4096 Nov 12 23:05 psybnc
drwx------ 2 root root 4096 Nov 13 01:00 sniffer
drwx------ 2 root root 4096 Nov 12 20:58 ssh
drwx------ 2 root root 4096 Nov 12 23:22 synscan
drwx------ 2 root root 4096 Nov 12 20:58 utils

The names of these tools are self-explanatory. However, they are all
precompiled. utils contains only one utility - wget. This is to
enable the skripkids to easily download other tools (assuming the skripkids
know how to use wget).

- tuxkit - an installation script
- README - the obligatory README file (and greetz, of course)

The tuxkit is almost similar to the t0rn rootkit. The addition of the
precompiled tools such as nmap, synscan and psybnc makes it a more handy
rootkit. It is flawlessly easy to install. Tuxkit is like a pack-n-go
kinda tool. The appendix shows the contents of each packages in tuxkit.

--] Installation

Installation of tuxkit is very straightforward. The README says:

---README snip---
./tuxkit

Password : This will be the password you need to login onto
the comromised system.
SSD Port : This will be the port on which the SSHD will be
be listening on for incoming connections.
This port will be hidden automatically in netstat.
bncport : this will be the port psyBNC will listen on.
This port will be hidden automatically in netstat.

The setup script does NOT have default settings, this forces you to
provide a password, sshd and bnc ports.

The setup script also contains a variable called EMAIL, you should edit
this ;)
---README snip---

This sets tuxkit apart from t0rn - it does not use default ports.

The default installation directory is /dev/tux. Shell script savvy skripkids
may want to change this to avoid detection.

NOTE: the tuxkit installationn script contains a variable EMAIL which has
the default value of the author. At the end of the installation, the script
will send an email which the subject "Tuxkit1.0". The e-mail contains
information about the host, the SSH backdoor port, the psyBNC port, and
also the password. If you skripkid didn't change the EMAIL (the README
clearly states to change this), you have the risk of your server being
owned by other people.

--] Trojaning process

The trojaning process is straightforward. syslogd is killed first. Then
all the files that came with tuxkit-1.0.tgz are untarred and upzipped.
The installation directory is created. The default installation directory
is /dev/tux, and even though this is kept as the variable RDIR, the tuxkit
install script hardcoded "mkdir /dev/tux", thus changing RDIR, but forgetting
to change the line above will cause your installation to skew a bit (most
skripkids won't bother to do this anyway). In fact, /dev/tux is hardcoded
almost everywhere in the installation script.

The hidden files .addr, .cron, .file, .log and .proc are copied to /dev/tux/

The library files are copied to lib, and /sbin/ldconfig is executed.

This step is followed by copying files to be trojaned to /dev/tux/backup, and
replacing these files with the trojaned version. A script "sz", which is part
of the bin.tgz is run against each trojaned binaries so that the size matches
that of the original binaries. "sz" basically pads the trojan with zeros
(from /dev/zero).

--] Backdooring process

The backdoored SSH is installed in /usr/bin/xsf. The trojaned sshcheck is
installed in /usr/bin/xchk. Both are invoked the following way:

/usr/bin/xsf -q 1>/dev/null 2>/dev/null
/usr/bin/xchk -q 1>/dev/null 2>/dev/null

The /etc/rc.d/rc.sysinit is also edited to include the following lines:

echo "# Running Xsf ..." >> /etc/rc.d/rc.sysinit
echo "/usr/bin/xsf -q 1>/dev/null 2>/dev/null" >> /etc/rc.d/rc.sysinit
echo "# Running Xchk ..." >> /etc/rc.d/rc.sysinit
echo "/usr/bin/xchk 1>/dev/null 2>/dev/null" >> /etc/rc.d/rc.sysinit

If you string xsf, you will be able to get the passwords that the skripkid
used.

--] The tuxkit configuration files

The tuxkit config files follows that of the original Linux rootkit. There are
.addr, .cron, .file, .log and .proc. The filenames are self-explanatory. These
files follow the convention of the original Linux rootkit. In forensic, what
you will be interested in most is the .addr files, because it contains the
IP that netstat is supposed to hide.

--] Detecting tuxkit

Detecting tuxkit is fairly simple.

1. Look for the existence of /dev/tux
2. Run lsof -i +M | grep xsf

Hey, why wasn't lsof trojaned? t0rn has a trojaned lsof :)

--] Detecting tuxkit - trojans

1. md5sums - if you've keep an md5sum of the virgin state of your
installation, detecting trojans should be a walk in the park. Every
system administrator should use file integrity checker to monitor
critical file change.
2. Look for /usr/bin/xsf and /usr/bin/xchk
3. Look for extra lines in /etc/rc.sysinit
4. cd /etc/ssh; ls -l. The trojaned ls will return nothing, when in
fact your ssh config files are still there.

The following are the size difference between tuxkit and Redhat 7.1 binaries.
(before installation)

files tuxkit Redhat 7.1
------------------------------------------
crontab 29052 21280
df 27112 26812
dir 42952 45948
dmesg 3640 4252
du 25592 25788
find 55220 47516
ifconfig 36356 51164
killall 14400 12096
locate 9144 25020 (symlink to slocate)
login 3980 17740
ls 42952 45948
netstat 58228 83132
ps 62748 63180
pstree 14532 12284
sshcheck 89828 - (my test machine don't have this)
sshdconfig 451260 - (my test machine don't have this)
syslogd 28324 26972
tcpd 18660 24844
top 37844 34924
updatedb 4394 25020 (symlink to slocate)
vdir 42952 45948

This result is quite interesting. Trojans are not supposed to be bigger that
the original binaries!

--] Detecting tuxkit - if you are lucky

On our honeypot, the trojaned 'ps' still shows xsf, even though xsf was in
the list of processes to be hidden. However, 'ls' seems to work very well
in hiding files.

--] Recommendations

For tuxkit developers
- Add trojaned lsof. Borrow one from t0rn :) Also, fix ps.
- tools.tgz is probably not needed. A skripkid who is able to crack a Linux
machine (duh) should be able to download and compile his/her own tools.
Furthermore, tools.tgz adds unnecessary extra bytes to the tuxkit - not
really convenient for downloading.
- Add a self-deleting script, i.e. delete the tar files and installation
directory after installation. skripkids seems incapable of doing this.
The config files should be kept somewhere else other than /dev/tux.

For skripkidz - vi tuxkit, type the following:

:%s//dev/tux/installation_dir_of_your_choice/g

where installation_dir_of_your_choice is, uh, the installation directory
of your choice. (However, this won't work, since /dev/tux/.{addr,proc}, etc
are already hardcoded to the binaries - so hehe, just run ./tuxkit and pray
that the stupid system administrators won't notice :)

For system administrators - run file integrity checker after each fresh
install.

--] Conclusion

The world of forensic analysis ain't fun without rootkits.

--] Appendix - Contents of each packages

[root@angel tuxkit-1.0]# less bin.tgz
-rwx------ root/root 29052 2001-12-26 21:37:57 bin/crontab
-rwx------ root/root 27112 2001-12-26 21:37:57 bin/df
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/dir
-rwx------ root/root 3640 2001-12-26 21:37:57 bin/dmesg
-rwx------ root/root 25592 2001-12-26 21:37:57 bin/du
-rwx------ root/root 55220 2001-12-26 21:37:57 bin/find
-rwx------ root/root 36356 2001-12-26 21:37:57 bin/ifconfig
-rwx------ root/root 14400 2001-12-26 21:37:57 bin/killall
-rwx------ root/root 9144 2001-12-26 21:37:57 bin/locate
-rwx------ root/root 3980 2001-12-26 21:37:57 bin/login
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/ls
-rwx------ root/root 58228 2001-12-26 21:37:57 bin/netstat
-rwx------ root/root 62748 2001-12-26 21:37:57 bin/ps
-rwx------ root/root 14532 2001-12-26 21:37:57 bin/pstree
-rwx------ root/root 89828 2001-12-26 21:37:57 bin/sshcheck
-rwx------ root/root 451260 2001-12-26 21:37:57 bin/sshdconfig
-rwx------ root/root 28324 2001-12-26 21:37:57 bin/syslogd
-rwx------ root/root 1522 2001-12-26 21:37:57 bin/sz
-rwx------ root/root 18660 2001-12-26 21:37:57 bin/tcpd
-rwx------ root/root 37844 2001-12-26 21:37:57 bin/top
-rwx------ root/root 4394 2001-12-26 21:37:57 bin/updatedb
-rwx------ root/root 42952 2001-12-26 21:37:57 bin/vdir

[root@angel tuxkit-1.0]# less cfg.tgz
-rw------- root/root 17 2001-11-11 19:12:19 cfg/.addr
-rw------- root/root 69 2001-11-12 23:06:32 cfg/.cron
-rw------- root/root 67 2001-12-27 20:54:23 cfg/.file
-rw------- root/root 13 2001-12-27 20:54:47 cfg/.log
-rw------- root/root 116 2001-12-27 20:55:29 cfg/.proc

[root@angel tuxkit-1.0]# less sshd.tgz
-rw------- virus/virus 828 2001-12-13 00:22:12 ssh2/hostkey
-rw------- virus/virus 697 2001-12-13 00:22:12 ssh2/hostkey.pub
-rw------- virus/virus 503 2001-12-27 20:43:12 ssh2/logo
-rw------- virus/virus 512 2001-12-13 23:51:33 ssh2/random_seed
-rwx------ virus/virus 1040220 2002-01-06 00:05:58 ssh2/sshd
-rw------- virus/virus 647 2001-12-27 22:42:20 ssh2/sshd2_config

[root@angel tuxkit-1.0]# less lib.tgz
lrwxrwxrwx root/root 0 2001-11-11 02:49:02 lib/libproc.so -> libproc.so.
2.0.7

1.) The Linux Hackers Intro to assembly language (Pt. 1) - argc
2.) Intro to PGP on Windows - madirish
3.) Hacking Windows Shares from Linux with Samba - madirish
4.) DVD Ripping the Right Way - A
5.) SAM Files and NT Password Hashes - Grifter
6.) SQL Interjection Attack - Fiend
7.) Raw Socket Access in Windows XP - Tierra
8.) The Tuxtendo's Tuxkit Rootkit Analysis - Spoonfork

Source

Tags

Articles

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs