English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Exploit.Linux.Lotoor.b

Detected Sep 23 2010 13:55 GMT
Released Sep 24 2010 15:47 GMT
Published Apr 05 2011 12:29 GMT

Technical Details
Payload
Removal instructions

Technical Details

This program is a conditionally malicious software granting super user privileges to the user on devices running Android operating system by exploiting a vulnerability in the security system (CVE-2009-1185).

Installation

This exploit program has to be placed in one of the directories to insure that it is launched:

/sqlite_stmt_journals/
or
/data/local/tmp
Permissions are assigned to this file before it is launched.
- rwx r-x r-x

Payload

If the actual user ID identifier in the current process does not match the effective user ID in the current process, then the exploit attempts to assign "root" privileges to this process, and then deletes the following files:

/sqlite_stmt_journals/data
/sqlite_stmt_journals/hotplug
/sqlite_stmt_journals/loading
/sqlite_stmt_journals/mount
/sqlite_stmt_journals/fs_type
/data/local/tmp/data
/data/local/tmp/hotplug
/data/local/tmp/loading
/data/local/tmp/mount
/data/local/tmp/fs_type
/data/data/com.corner23.android.universalandroot/files/data
/data/data/com.corner23.android.universalandroot/files/hotplug
/data/data/com.corner23.android.universalandroot/files/loading
/data/data/com.corner23.android.universalandroot/files/mount
/data/data/com.corner23.android.universalandroot/files/fs_type
Then it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message::
[-] execve
Then it executes commands in command line. These commands are sent to the exploit as parameters: If an error occurs when executing this command, the worm will display the following message:
[-] readlink
If the user ID has not been set for this file or if the effective user ID value equals "0" it will delete the content of this file:
/proc/sys/kernel/hotplug
It will then check for files:
/sqlite_stmt_journals/mount
/data/local/tmp/mount
/data/data/com.corner23.android.universalandroot/files/mount
If none of the files is found, it will display the following message: It then opens "mount", "fs_type" files and reads data required for mounting. Then it re-mounts the directory:
/system
It then creates the directory
/system/bin/rootshell
It copies its working directory to this directory and sets permissions for files:
-rws--x--x
It will input the following lines in the command line:
[*] Android local root exploid (C) The Android Exploid Crew
[*] Modified by shakalaca for various devices
Then one of the base directories is entered:
/sqlite_stmt_journals
/data/data/com.corner23.android.universalandroot/files
/data/local/tmp
The following directory is set by default:
/sqlite_stmt_journals
The following messages are then displayed in the command line:
[+] Using basedir=, path=

[+] opening NETLINK_KOBJECT_UEVENT socket
It deletes the files from the base directory:
%BaseDir%/data
%BaseDir%/hotplug
%BaseDir%/loading
%BaseDir%/mount
%BaseDir%/fs_type
%BaseDir%/remount_as_ro.sh
It then creates these files and saves the information about the mounted device in these files as well as the information about the file system type for the following directory:
/system
It creates a script that will reconnect the file system:
%BaseDir%/remount_as_ro.sh
It then uses a vulnerability that exists during incorrect NETLINK messages processing, by enhancing "root" privileges for the current user (CVE-2009-1185). At the end it displays the following lines:
[*] Try to invoke hotplug now, clicking at the wireless
[*] settings, plugin USB key etc.
[*] You succeeded if you find /system/bin/rootshell.
[*] GUI might hang/restart meanwhile so be patient.
This exploit program may run on the following devices:
Google Nexus One (2.2)
Google G1 (1.6)
HTC Hero (2.1)
HTC Magic (1.5)
HTC Tattoo (1.6)
Dell Streak (2.1)
Motorola Milestone (2.1)
Motorola XT701
Motorola XT800 (2.1)
Motorola ME511
Motorola Charm
Motorola Droid (2.01/2.1/2.2 with FRG01B)
Sony Ericsson X10 (1.6)
Sony Ericsson X10 Mini (1.6)
Sony Ericsson X10 Mini Pro (1.6)
Acer Liquid (2.1)
Acer beTouch E400 (2.1)
Samsung Galaxy Beam
Samsung galaxy 5 (gt-i5500)
Vibo A688 (1.6)
Lenovo Lephone (1.6)
LG GT540 (1.6)
Gigabyte GSmart G1305


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original program file (its location will depend on how the program originally penetrated the victim machine).
  2. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: 6ec31587f26b999013cb423c604db046
SHA1: 514c44835086d874342d9e3b8b10d5372d2e74e5


Bookmark and Share
Share
Exploit

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.


Aliases

Exploit.Linux.Lotoor.b (Kaspersky Lab) is also known as:

  • Trojan: Exploit-Generic.src (McAfee)
  • Heuristics.Broken.Executable (ClamAV)
  • Exploit.Linux.Lotoor (Ikarus)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Exploit:Linux/DroidRooter.A [FSE] (FSecure)