Backdoors available for analysis

January 16, 2008

Found a couple of backdoors that had been downloaded to a box of mine. They are available here for your convenience (if the links go down, I’ll put them up for download on a mirror):

http://geocities.com/crewnewbie/tools/cbk.tar.gz
http://geocities.com/evikhobare/chanarybot.tar.gz

From my preliminary findings, they both contain the XHide process faker, one of them includes a remote-connect backdoor. I’d welcome any forensic insight into these, as I don’t have a whole lot of experience with doing process/machine forensics. There are still some processes running from the offending user(s), I am wary to kill anything. In the meantime I’ll be doing my own analysis and hopefully reporting on it here.

Advice? Suggestions?

EDIT: The system is a FreeBSD 6.2-RELEASE machine running on a SPARC processor.

posted in backdoor, forensic, forensics, hacking, xhide by Lee

5 Comments to "Backdoors available for analysis"

  1. dnardoni wrote:

    Are these systems windows or unix/linux?

    I would recommend you collect all the open ports and processes running on the system.

    Also it may be valuable to port scan the system remotely to compare what ports the system says are open vs. what you find remotely. Maybe a rootkit hiding processes or open ports?

    Also I would make a forensic image of the systems using ddcfldd and that way you can offer the images up for analysis should you wish.

    You already seem to be very adept at capturing network based information so I am sure you have done that already.

    If possible it may be worth trying to image RAM as well.

    After forensic images have been made those with reverse engineering experience can see what the malware is capable of.

    If you can provide some more detail might be able to give you more ideas.

    Dave

    Link | January 16th, 2008 at 11:21 am

  2. Lee Hinman wrote:

    @dnardoni:
    Thanks for the feedback! The machine is indeed a FreeBSD 6.2 machine running on a SPARC processor (I updated the post to tell this). I will definitely be doing a portscan on the machine to compare what netstat says to what nmap sees. As far as creating a forensic image, I’m afraid I’m not sure the best way to go about this. I’m worried that even if I do create an image, I won’t be able to work on it on any of my machines (big-endian vs. little-endian).

    I’m planning on providing more details and output from different commands as I work through the analysis. Thanks for the advice so far! :)

    Link | January 16th, 2008 at 11:31 am

  3. Joel ealer wrote:

    how did the backdoors get on the box?

    Link | January 16th, 2008 at 2:56 pm

  4. Lee Hinman wrote:

    This machine is a honeypot of sorts, users were allowed accounts on the machine with a notice that their actions were monitored.

    They actually got on there from a user wget’ing them on :)

    Link | January 16th, 2008 at 3:05 pm

  5. dnardoni wrote:

    Lee,

    I would consider running some of the command with trusted binaries maybe off a cd or usb drive to a mapped location maybe using netcat

    “Netstat -an” this will list open ports
    “netstat -rn” this will list your routing table
    “lsof” list open files
    “ps aux” list running processes
    many other commands could be handled if you had a forensic image, such as reviewing user accounts, hidden files possibly created, deleted files, analysis of file data/timestamps around the time of the incident.

    Hope that helps a bit

    Dave

    Link | January 17th, 2008 at 1:18 pm

 
Powered by Wordpress and MySQL. Theme by Shlomi Noach, openark.org