LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Blogs > unSpawn
User Name
Password

Notices



Rating: 2 votes, 4.50 average.

Simple ClamAV sig for /lib64/libkeyutils.so.1.9 contents

Posted 02-16-2013 at 03:26 PM by unSpawn
Updated 02-17-2013 at 08:03 AM by unSpawn

Wrt SSHD Rootkit Rolling around.

*I updated RKH in CVS but detection wasn't added yet to ClamAV, Securiteinfo or R-fx MLD:
Code:
]$ clamscan --official-db-only=no -d ./securiteinfoelf.hdb -d ./securiteinfosh.hdb -d ./rfxn.hdb -d ./rfxn.ndb -d ./RKH_libkeyutils.ldb -r --infected -r $PWD
path01/libkeyutils.so.1.9: RKH_libkeyutils.so.1.9.UNOFFICIAL FOUND
path02/libkeyutils.so.1.9: RKH_libkeyutils.so.1.9.UNOFFICIAL FOUND
path03/innucuoustarball.tar.bz2: RKH_libkeyutils.so.1.9.UNOFFICIAL FOUND

Sample hashes
Code:
# Theirs (WHT):
c1f53b3ecb05102d46f1d533fe093529 /lib64/libkeyutils.so.1.9
d81217186da61125f4dad7a87857b697 /lib64/libkeyutils.so.1.9

# Mine + submitted by Steve (WHT):
2ef85e0b63f0b0f814ba9e5b364cc8a0  libkeyutils.so.1.9
bb2146da4f4648589e44c132468fb74b  libkeyutils.so.1.9
d81217186da61125f4dad7a87857b697  libkeyutils.so.1.9
f3c416eea1c38f60d60cdc331e37bfa6  libkeyutils.so.1.9

Contents of RKH_libkeyutils.ldb:
Code:
]$ sigtool --datadir=$PWD --find-sigs=RKH 2>&1| sigtool --decode-sig 2>&1 | egrep -v "(\+|\*)"
VIRUS NAME: RKH_libkeyutils.so.1.9
TDB: Target:0
LOGICAL EXPRESSION: ((0)&(1)&(2)&(3)&(4)&(5)&(6)&(7)&(8)&(9))|((10)&(11)&(12))
bind
connect
send
socket
tmpfile
waitpid
gethostbyname
sysconf
inet_ntoa
sleep
dlclose
strcat
strcpy
*Basically a combination of strings you don't expect in the official libkeyutils.so library.
**Tested only against libkeyutils 1.5.5-4_amd64 from Debian and 1.5.5-3 from Arch.


How to use:
- D/L RKH_libkeyutils.ldb.txt,
- check the hashes: (MD5: 4fb3f72158b8f88331868ebd62cef104, SHA1: 2efd1df56ce60d0cb5f0fb03877b3565384b2dd3)
- rename to "RKH_libkeyutils.ldb"
- ClamAV as added database:
Code:
clamscan -i --database=/your/path/RKH_libkeyutils.ldb -r /lib* /usr/lib*
*Should be easy to add to any Clam.* tool you're running right now.
- ClamAV but more specifically targeted:
Code:
find /lib* /usr/lib* -iname \*libkeyutils\* > /path/to/output.txt
clamscan -i --database=/your/path/RKH_libkeyutils.ldb -f /path/to/output.txt
- continuous with inotify () good for tmp dirs and user homes:
Code:
]$ inotifywait --format '%w%f' -e close_write -mrq /tmp /var/www /home -o /dev/stdout \
| xargs -iX clamscan -i --no-summary --database=/your/path/RKH_libkeyutils.ldb --follow-file-symlinks=2 'X'
*You prolly want to pipe the latter to email so you get an early warning.

Bit terse but it'll do for now.

*Addendum[0]: the cause seems to be https://access.redhat.com/security/cve/CVE-2013-0871
*Addendum[1]: updated sig.
*Addendum[2]: apparently you need to be logged in to fetch the attachment. Here's the actual contents of "RKH_libkeyutils.ldb" for copy & pasting:
[code]
Code:
RKH_libkeyutils.so.1.9;Target:6;(((0)&(1)&(2))&(((3)&(4)&(5))|((6)&(7)&(8))));636f6e6e656374;73656e64;736f636b6574;62696e64;746d7066696c65;77616974706964;646c636c6f7365;737472636174;737472637079
Attached Files
File Type: txt RKH_libkeyutils.ldb.txt (195 Bytes, 14 views)
Posted in Uncategorized
Views 1807 Comments 0
« Prev     Main     Next »

  



All times are GMT -5. The time now is 12:23 PM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration