This is a reply on the Tuxkit root kit analysis of 'Spoonfork' 
(http://archive.tuxtendo.nl/rootkit/tuxkit-analysis.txt) 

    The following are the contents of each tuxkit. This analysis will focus on 
tuxkit-1.0.tgz, the one that was found on our honeypot. The rootkit was 
developed by Argv[], possibly modified from and based on the t0rn rootkit. The 
 

Do you want us to spank you boy? We did NOT copy stuff from the t0rn rootkit. 

    timestamp of the rootkit was December 2001. Googling for "tuxkit analysis" 
 

The release date was 15/12/2001. If you would run it (./tuxkit) you would have 
known that. 

    did not produce any hits, so I guess that this rootkit is pretty new. 

NOTE: chkrootkit failed to detect tuxkit. 
 

t0rnkit would have been detected, so if Tuxkit was copied of t0rns kit, it would 
have been detected too. You guys might say D'OH now, but this 'Spoonfork' 
clearly does not understand that. 

    The tuxkit is almost similar to the t0rn rootkit. The addition of the 
 

Why? Does it look like t0rnkit to you? We would really like to know that. 

    precompiled tools such as nmap, synscan and psybnc makes it a more handy 
rootkit. It is flawlessy easy to install. Tuxkit is like a pack-n-go 
kinda tool. The appendix shows the contents of each packages in tuxkit. 
 

    This sets tuxkit apart from t0rn - it does not use default ports. 
 

We think you should start a fan club for t0rnkit. 

    The trojaning process is straightforward. syslogd is killed first. Then 
all the files that came with tuxkit-1.0.tgz are untarred and upzipped. 
The installation directory is created. The default installation directory 
is /dev/tux, and even tough this is kept as the variable RDIR, the tuxkit 
install script hardcoded "mkdir /dev/tux", thus changing RDIR, but forgetting 
to change the line above will cause your installation to skew a bit (most 
scriptkids won't bother to do this anyway). In fact, /dev/tux is hardcoded 
almost everywhere in the installation script. 
 

If you would have checked the installation script with some attention, you would 
see the following line: "# You do not need to edit anything below this." Do we 
need to say anything else? 

And why do you write the installation progress in WORDS? If people really want 
to know what's going on they can just check out the installation script. 

    If you string xsf, you will be able to get the passwords that the skripkid 
used. 
 

So what about /dev/tux/.pw ? The (encrypted) password is stored in that file my 
friend. So once again, what the fuck are you talking about? 

    Hey, why wasn't lsof trojaned? t0rn has a trojaned lsof :) 
 
SIGH, Tuxkit is NOT based on t0rnkit you moron. 

    4. cd /etc/ssh; ls -l. The trojaned ls will return nothing, when in 
   fact your ssh config files are still there. 
 

Finally some "useful" information. 

    - Add trojaned lsof. Borrow one from t0rn :) Also, fix ps. 
 

A backdoored version of lsof has already been added in Tuxkit 2.0PE and I 
Did not find any bugs in the backdoor code of ps. (BTW: As we said many times, 
we do not copy stuff from other rootkits. That would only make our kit easier 
to detect. And we're still convinced you should start a t0rnkit fan club.) 

    - tools.tgz is probably not needed. A skripkid who is able to crack a Linux 
  machine (duh) should be able to download and compile his/her own tools. 
  Furthermore, tools.tgz adds unnecessary extra bytes to the tuxkit - not 
  really convenient for downloading. 
 

Tuxkit 2.0 PE does not contain a tools.tgz. 

    For skipkidz - vi tuxkit, type the following: 

      :%s/\/dev\/tux/installation_dir_of_your_choice/g 

where installation_dir_of_your_choice is, uh, the installation directory 
of your choice. (However, this won't work, since /dev/tux.{addr,proc}, etc 
are already hardcoded to the binaries - so hehe, just run ./tuxkit and pray 
that the stupid system administrators won't notice :) 
 

If you know that changing the installation script will only fuck up the 
rootkit's installation, why, WHY do you give such information? 

    --] Conclusion 
 

Our conclusion, which is purely based on this "Rootkit Analysis", is that 
you're another wanker, trying to play elite. If you want to make rootkit 
analyzes, take an example analyze (like the t0rnkit analyze of D. Dittrich, 
since you're a t0rnkit fan) and try to produce something on that level. 
We wouldn't even dare calling this an analyze. You didn't give any so far 
unknown information about the kit. 

    The world of forensic analysis ain't fun without rootkits. 
 

The world wouldn't be fun without morons like you. 


The Tuxtendo Crew. 
(Written on Monday 27-05-2002)