Rootkit design feedback
April 19th, 2014
When I was in high school, Kazaa was everyone’s primary source of pirated music and viruses. I made a reasonable amount of money fixing virus-infected Windows XP machines for friends-of-friends. I’ve been proud to say that I hadn’t (to my knowledge) been affected by a virus. Sadly, my streak came to an end this week. And on my Linux desktop, no less!
To whomever wrote the rootkit that compromised my machine, I applaud you. But in stealing my confidence and breaking my heart, you made a couple of totally-unnecessary mistakes.
Better luck next time, though who knows. Maybe you’ve already stolen everything of value to me. Alas.
Earlier this week, I noticed that my /etc/hosts file was being changed every hour at :49. Its content always ended up as:
# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 188.8.131.52 rhino.acme.com # source server # 184.108.40.206 x.acme.com # x client host 127.0.0.1 localhost # *********ÒÔÏÂÄÚÈÝÎª360°²È«ÎÀÊ¿ÎªÃâÒß»úÆ÷¹·ÄŸÂí²¡¶ŸËùÌíŒÓ****************** 127.0.0.1 yu.8s7.net 127.0.0.1 1.jopanqc.com 127.0.0.1 2.joppnqq.com 127.0.0.1 wg.47255.com 127.0.0.1 1.joppnqq.com # ... etc ...
Given the fishy domain names being redirected to 127.0.0.1, it looked like the work of an adblocker. A Windows-based adblocker at that (hence the “sample HOSTS file used by Microsoft TCP/IP for Windows”). I didn’t like it.
When Googling turned up nothing, I tried to figure out what was modifying that file. I went through the crontab both for my user and for root and found nothing. Next, I set up an
auditctl rule to figure out who was modifying the file. Strangely, nothing came up. After spending a couple of hours on it, I decided that it wasn’t malicious and gave up.
Here was your first mistake. If you’re going to edit my hosts file, do something with it. Redirect every host I have there to your own IP address running a modified version of an SSH daemon that just collects usernames and passwords. Sure, I’ll get the familiar “The authenticity of host ‘<host>’ can’t be established” error, but I might have blown through it, and by that point, you’d have my password and private key for those machines.
/lib/sshd’s CPU consumption
The next day, I noticed that our internet was going in and out. Time Warner Cable seems to have this magical property that if one machine on the network is uploading too much, it starves sockets for everyone else on the network. Thanks, Time Warner!
There didn’t seem to be any outages, but then I noticed that
/lib/sshd was eating 175%+ CPU whenever the internet was down! Obviously, it was doing something naughty, though I didn’t stick around to figure out what. I immediately reinstalled my operating system, changed all of my passwords, regenerated SSH keys, etc.
Nice choice selecting a familiar process name (the real process is
/usr/sbin/sshd), but why did it need so much CPU? You could have run it at a much lower-interval or at non-peak times, and I never would have found it.
Still, you win. I’m embarrassed with my network administration, but at least I’m not part of the malware aquarium.