Tornkit

Classification

Malware

-

-

Tornkit, t0rnkit

Summary

Tornkit is a rootkit, a set of programs that is used by an intruder to have unrestricted access to a compromised Linux system. Tornkit is also attempts to hide its presence.

A modified version of this rootkit was distributed by a variant of Unix/Lion worm. Further information about Lion is available at: https://www.Europe.F-Secure.com/v-descs/lion.shtml

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Community

Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

When tornkit installation is started, it first shuts down the system logging daemon, syslogd.

It replaces several system executables with trojanized versions and adds a trojanized ssh daemon to the system as well.

Configuration files related to trojanized ssh daemon are saved to

/usr/info/.t0rn/shdcf

 /usr/info/.t0rn/shhk

 /usr/info/.t0rn/shhk.pub

 /usr/info/.t0rn/shrs

Trojanized ssh daemon itself will be moved to "/usr/sbin/nscd", and then started. It is also added to the end of the "/etc/rc.d/rc.sysinit" along with the following comment:

# Name Server Cache Daemon..

This way the trojanized sshd will be executed when system restarts. By default it uses port number 47017 for it. This is configurable, and the port number is saved to "/usr/info/.t0rn/shdcf".

Following system files are replaced with trojanized versions:

/bin/login

 Uses the password hash from "/etc/ttyhash" for backdoor access.

 Original "/bin/login" is saved to "/sbin/xlogin".

 /sbin/in.fingerd

 Altered fingerd that adds an open shell to port 2555

 /bin/ls

 /bin/netstat

 /bin/ps

 /sbin/ifconfig

 /usr/bin/top

 /usr/bin/du

 /usr/bin/find

 These versions of system binaries do not show files, processes or

 network connections used by the kit.

Date and time stamps are preserved from the original system files and "/bin/login" installed by the kit is modified in a such way that its size appears to be the equal with the original "/bin/login".

The kit creates following configuration files and executables:

/usr/src/.puta/.1addr

 /usr/src/.puta/.1file

 /usr/src/.puta/.1logz

 /usr/src/.puta/.1proc

 /usr/src/.puta/t0rns

 /usr/src/.puta/t0rnp

 /usr/src/.puta/t0rnsb

Finally Tornkit starts a sniffer in background, enables telnetd, rsh and finger daemons in "/etc/inetd.conf", restarts inetd to activate changes made and starts syslogd.