summary.html
~~~~~~~~~~
[Overview]
The analysed binary appeared to be a sophisticated remote administration
tool, which after been installed on a computer running Linux operating system, can be used
later to gain unauthorised root access to that system and remotely instructed to
perform several types of "flooding" denial-of-service attacks against specified
IP address(es).
Such attacks consists of a stream of connection requests aimed at the target server.
A relatively small flood of bogus packets on many systems will tie up memory, CPU, and
applications, resulting in denied access to legitimate users and sometimes shutting down a server. The "binary" provides attacker with the most
common and powerful types of flooding attacks. A single host launching a small SYN flood at its
maximum rate can overload a remote host and cause significant damage.
Attacker remains anonymous and doesn't need to consume his network resources,
since all attacks use bandwith of a compromised system.
Those attacks made possible by exploiting flaws into common Internet protocols. They do not depend on victim operation system or installed software, appearing to be network-level attacks.
Most network devices (including routers and NICs) are limited by packet processing rate,
and an attacker will generally send small packets as quickly as possible to overload the
network. These attacks cause legitimate packets to be dropped as network routers struggle
to keep up with the combination of bogus and legitimate packets. Making them more difficult
to resolve or prevent is the fact that attack traffic generally appears to be no different
from legitimate user traffic.
"Backdoor" feature of the installed binary gives attacker, who knows
password, access to the compromised system on the administrator level.
Rest interaction is performed using a client-server architecture.
Attacker has a client and constructs commands for the server (the-binary). Client sends
specially made packets instructing server to perform arbitrary commands,
choose attack types (TCP, DNS or UDP/ICMP flood) and target hosts.
Simple encryption is used for all incoming commands and outgoing results.
Binary runs on a system under the name of "[mingetty]", pretending
to be a harmless common unix daemon. There are no any other trojan/worm or destructive functions
implemented, however threat for the compromised system is up high now,
since attacker could take any action on the system, such as deleting data
or adding new users with root access.
[Detecting and Defending]
The best way to avoid installations of such tools on your system is to stop them
before they enter your system. To install a remote-access binary, an intruder still
must gain unauthorized root access to your server using traditional methods, such as
exploiting known vulnerabilities or even practicing social engineering to get the
password information from a well-meaning person who happens to have it.
After binary is installed, how fast it'll be found depends only on a system administrator.
For him it is always important to determine the role of the tools currently installed
on the system. The new daemon appeared on a process list should immediately draw administrator's
attention. Then, even just by retriving text strings from a binary it should be obvious
that the thing is bogus. Program should be disabled and copy passed to a security
experts for a forensical analysis and identifying. Once done, unique fingerprint of the
binary could be produced and added to a database of the known malware.
The next and most important thing for administrator to do is to find out how
system was initially compromised. Look for evidence of intrusions in logs, IDS systems
etc.
To prevent future threats, remain current with security-related patches to operating systems
and applications software. Follow security best practices when administrating networks and
systems.
The existence of such attacks and tools shows that someone's security
(or lack of it) can cause serious harm to others, even if intruders do no
direct harm to initially compromised system.
Defending against flooding attacks as well requires many to participate.
All providers of Internet connectivity should implement packet filtering
to prohibit attackers from using forged source addresses which do not reside
within a range of legitimately advertised network range.
An additional benefit of implementing this type of filtering is that
it enables the originator to be easily traced to it's true source,
since the attacker would have to use a valid, and legitimately
reachable, source address.
|