Kanbe Malware Toolkit

25 May 2012

The Kanbe malware kit is a trove of attacker tools that I found after an attacker attempted to download a file from it to our honeypot. The host site looked like an ftp server that had an easily guessable username and password that was captured in the honeypot logs. Browsing the site I found 90 different tools and a couple of directories. Unfortunately I don't have time to analyze all of the tools so I'm attaching them to this blog post as one big archive (see below). I did look at some of the tools and found some very interesting items. There were quite a few IRC bots that should be easily recognizable, such as EnergyMech and PsyBNC, but there were also some other interesting tools. What follows is a very brief, and high level, analysis of some the contents of the toolkit.

You can download the kit from http://www.madirish.net/assets/files/kanbe.tar.gz (be warned, this *is* malware - don't run anything in an uncontrolled environment).

The kit contained two directories, labeled 'pass' and 'psybnc'. The 'pass' directory contains 11 files titled austria_pass, china_pass, comun_pass, france_pass, germany_pass, italy_pass, japan_pass, korea_pass, pass.txt, usa.txt and usa_pass. As indicated by the document titles, these documents contain localized lists of username and password pairs. The pass.txt file is a generalized username, password list that includes system accounts such as root. The psybnc directory contains psyBNC 2.2.1 AIX RS-1 Pre-compiled along with the requisite text files, binaries, and configuration scripts.

The kit also contains a number of single files, compiled binaries, and tar archives. These include:

0.tgz

This archive uncompresses to a single directory '0' that contains three files: 0, 0.c, and README. According to the README this tool is '0x333shadow' which "0x333shadow is a tool, that allow you hide your track in a system, it's clean default dirs with a recursive scan including subdirectory." The documentation describes 0x333shadow as a log file cleaner that will kill syslog and clean traces of intruder activity from log files. The program searches most default logs and erases lines that match input provided to the program. This could be useful for wiping attacker IP addresses from log files. This program does rely on user input, so sloppy use could result in broad damage to log files. The program does attempt to restart syslog once it is finished, but again, this operation may not be successful.

a.php

This is PHP Shell version 1.7 by Martin Geisler . This is a simple form written in PHP that will execute commands via PHP's system function. The shell nicely captures errors and output by piping command results to a file in /tmp and returning the results. The file is lightweight and effective, with a particularly nice interface for allowing attackers to change directories.

allkind.tar.gz

Allkind looks like some sort of simple compiled IRC bot. The configuration type files 'mech.levels' and 'mech.set' may indicate that this is the EnergyMech IRC bot.

aspx_brute.c

This file is the IIS5.0 .asp overrun remote brute force exploit by xfocus. It is a simple tool that attempts to perform a buffer overrun attack against the server specified by the user.

brute.c

This is a basic C program that will perform SSH brute force attacks. What is interesting about this program is that it looks like it was designed to be run as a scheduled job. The program disguises its process name so that it appears as a regular SSH client to anyone checking the process lists.

e.tgz

This package contains a lot of seemingly random material. Most of the contents include exploit code, including service exploits (such as a webmin exploit) as well as Linux kernel exploits. Many of these exploits were fairly recent and could likely be used on many compromised hosts.

rk.tgz

This package contains the shv5 linux rootkit.

sniff.tar

This package contains what appears to be a full OpenSSH server installation. I haven't had time to look but I suspect that the package is tampered with and probably includes some sort of trojan or backdoor.

scane.txt

This is a PHP remote file include (RFI) and local file include (LFI) vulnerability scanner written in Perl. The scanner is particularly interesting because it hooks into an IRC server and channel for output. Given the number of IRC bots and other IRC enabled servers this isn't surprising, but it is interesting that the tool is designed to report results remotely.