The-Binary Advisory


Friday, May 31, 2002
Christopher Gragsone <chris.gragsone@eds.com>

Summary

The-Binary has been found activly utilized in the wild running as [mingetty]. The-binary acts as a relay, passing information from an attacker to a 3rd party. The 3rd party is most likely a binary which processes the commands. The-Binary uses IP protocols 11 and 255 to pass encrypted data and avoid customary points of detection (i.e. firewalls).



Prevention

The covert channels which the binary relays can be blocked by filtering IP protocols 11 and 255 at the firewalls or other perimeter defense device.



Detection

To check if a system is running the binary, perform a "netstat -an|grep raw", to review all the open raw sockets.

[scarbaci@honeyp binary]# netstat -an|grep raw
raw        0      0 0.0.0.0:11              0.0.0.0:*               7
This line shows evidence that the binary is listening to a raw socket using IP protocol 11.



Removal

Since the binary modifies its process name, it can be saved on the harddrive with any name. To find the location of the binary, the process id needs to be identified. To find the process id perform "ps -ef|grep mingetty".

[scarbaci@honeyp binary]$ ps -ef|grep mingetty
root      1448     1  0 Aug12 tty5     00:00:00 /sbin/mingetty tty5
root     32043     1  0 08:25 ?        00:00:00 [mingetty]
root     32073 21072  0 08:33 tty1     00:00:00 grep mingetty
In this example, The-binary hides itself as "[mingetty]" which in this case has the process id of32043. With the process id, the location can be found by viewing the processes exe link in the proc system. To find the link perform the following command, "ls -l /proc/X/exe", where X is the proccess id.
[scarbaci@honeyp binary]$ ls -l /proc/32043/exe
lrwxrwxrwx    1 root     root            0 May 29 08:39 /proc/32043/exe ->l; /usr/swdev/binary/reverse/the-binary
First remove the binary from memory by sending it a kill signal.
[scarbaci@honeyp binary]$ kill -9 32043
Then remove the file from the system.
[scarbaci@honeyp binary]$ rm /usr/swdev/binary/reverse/the-binary