The rootkit apparently replaces the library libkeyutils with a trojanised version as
- /lib64/libkeyutils.so.1.9 (64bit)
- /lib/libkeyutils.so.1.9 (x86).
It changes the links lib64/libkeyutils.so.1 (and /lib/libkeyutils.so.1 to point malicious library therafter.
The malware is capable of:
- stealing passwords, ssh keys & /etc/shadow from the system and sent to remote IP hard coded in the file
- used as a backdoor to access server at any time
- sending out spam mails
The library is normally found in /lib (/lib64)and hence can be traced by the package manager and possibly outputs "file /lib64/libkeyutils.so.1.9 is not owned by any package" for apparent rooted box.
- For instance:
rpm -qfV /lib*/libkeyutils* /(file /lib64/libkeyutils.so.1.9 is not owned by any package---this is a symptom )
- Debian /ubuntu ( not reported as of now)
dpkg -l libkeyutils*
dpkg -L libkeyutils* (list the files associated with)
- The malicious library has specific network related strings embedded which can be verifed by using the "strings /lib64/libkeyutils.so.1.3 and 'grep' ing for gethostbyname|connect|socket|inet_ntoa|send strings and the genuine library is normally having no bussiness with these strings.
run in the terminal
strings /lib/libkeyutils.so.1.9 | grep gethostbyname|connect|socket|inet_ntoa|send strings /lib/libkeyutils.so.1.3 | grep gethostbyname|connect|socket|inet_ntoa|send
- Interprocess communication is reported as achieved through shared memory, if the system is rooted, SSHD owned memory may be seen.
- Some of the known and in wild samples are: