Security Notice: hostile code analysis

Beginning on 6 May 2002, A Linux specific malware was introduced to honeynet.edu. This program has been analyzed with the following result:

Summary

"The-binary" acts as a remote command execution facility for an attacker. the-binary listens to a raw IP socket using protocol 11 (NVP / Net voice protocol). This, coupled with a simple data-encoding mechanism make this malware and it's network traffic moderately difficult to detect or alarm.

This malware in all likelihood is capable of infecting most modern linux distributions. The executable is static-linked based on libc5. Based on both observation of this program in action and on brief inspection of the binary it does not appear that it automatically makes any substantial or nefarious changes to files or data. While there has been no observation of worm behavior, the code does have the ability to open connections to other systems and could have unknown propagation capability.

Detection

Analysis of the binary and network-traffic intercepts provide the following clues to detection:
     executes a fork() call, changes it's name as seen by 'ps(1)' to "[mingetty]"

     listens for connections on protocol 11

ps output:
USER       PID %CPU %MEM   VSZ  RSS TTY      STAT START   TIME COMMAND
root     10527  0.0  0.0   244   72 ?        S    09:28   0:00 [mingetty]  

netstat -an output:
Proto Recv-Q Send-Q Local Address           Foreign Address         State 
raw        0      0 0.0.0.0:11              0.0.0.0:*               7           
The binary may be detected at the host by observation of open network ports and the contents of the process table.The activity of this code can be also observed with any packet logging or sniffing system, Snort or other IDS systems.

Advisory

The subject malware provides a root-access remote execution and reporting facility to an attacker. Any system on which this binary has been found should be recovered using standard techniques (http://www.cert.org). Forensic recovery of the attack or archiving of state may also be desireable.

At present it appears that the above Detection metrics and Details below represent all of the important features of the binary. It is possible that additional actions are built in, and there are a few clues that this binary may be an experiment including additional control / propagation facilities.

Probably the strongest evidence against this possibility is the appearant fact that outside of the honeynet project and it's release in the Reverse Challenge, there are no known reports of this code having actually propagated in the wild.

Recommendations

Based on the apparently random reply-to IP selection it is highly likely that this attack would be employed against targets where the attacker has the ability to sniff the target's network connections. As such any organization which finds it has been penetrated with this binary may wish to look at their infrastructure and ISP connection access security.

Details

The binary has been successfully run in controlled conditions, providing sufficient data to allow reasonable understanding of its operation. It is remotely activated by sending specific commands over raw IP. After accepting a 'wakeup call' from the remote attacker, it will accept encoded shell commands. It sends the (partial) results of these commands back to (seemingly) randomly selected IP numbers.

Because it runs with root privilege (and needs to in order to open the raw/low numbered socket) the remote attacker can probably obtain complete control of compromised systems.

There seem to be a few flaws in the code (or possibly additional capabilities). In sending various experimental control data to the binary, there were several occasions when the binary forked a new process which listened to a raw socket on protocol 255 (IANA Reserved). This process did not ever seem to read data which was sent to it. Also, while it takes care to encode it's command-replies, the plaintext of the command results, a portion of those results are replicated in the tail end of the reply packets. This may be simply the result of reuse of a data buffer.

This malware has the appearance of containing experimental facilities for more advanced or virulent propagation. While no such facilities were observed in practice, they may be suggested by the use of what appears to be a command byte in the network-data. Incoming data provided by Honeynet use the byte "0x02", while outgoing data, both provided by the challenge and observed in practice used the byte "0x03".

Further details may be found at analysis.html

Author / contact

Forrest Whitcher 31 May, 2002 fw_sec@fwsystems.com

Copyright © 2002 FW Systems LLC, All Rights Reserved