29 May 2002 - HoneyNet Reverse Challenge Advisory

New Covert Blackhat DDoS/Backdoor Advisory

Introduction

Earlier this year, a new Distributed Denial of Service(DDoS) / backdoor combination was captured by the Honey Pot University. This tool has recently been analysed and its details released.

The tool that was found was a single linux based binary. This tool is believed to have been in the wild since at least august 2001.

What's new?

The binary that was analysed contains many similarities to previously disclosed DDoS programs, but has a few differences:

While none of these concepts are anything new, their implementation in the wild is something to be concerned about.

Potential targets

Analysis of the binary indicates that this tool is Internet based. Any unprotected computer system connected to the Internet is therefore potentially a victim, either to infection, or DoS attack.

The target platform for the captured binary was linux, however it is quite possible that it may exist on other operating systems.

Detection

The particular binary found by the HoneyNet team can be detected locally on linux systems as follows:

exploit-dev:/reverse# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State

raw 0 0 0.0.0.0:11 0.0.0.0:* 7

As can be seen, a raw socket listening on protocol 11 is the best indication this binary is running. Other methods include looking for strange processes running as root, particularly [mingetty] (which is also the name of a legitimate program).

It is possible an attacker may also trojan various system binaries such as netstat and ps to help conceal the presence of the tool.

Network traffic can also be monitored for non-generic Internet protocols, especially protocol 11. ICMP Protocol Unreachable errors destined to machines on a network may also indicate the presence of this tool.

Removal

If this tool is detected on a system, it should be realised that it has been root compromised and anything short of a full reinstallation cannot guarantee an attacker's removal. Reinstallation may also not solve the problem until the method of how the attacker obtained root access in the first place is resolved.

Protection

New variants of this binary that may use different network protocols are a very real possibility, making detection very difficult. The best defence is obviously not to allow attackers root access on systems not belonging to them. Also in defence, a properly configured firewall, designed to block all traffic except what is absolutely necessary, will minimise the risk associated with this tool.

DDoS Attacks

The attacks contained within this binary include the following:

All these network attacks have been discussed in the past. The only new event is the implementation of these attacks into a distributed format. It is unclear how widespread this tool has become, and as such the strength of these attacks cannot be properly gauged at the present time.