27 May 2002

New Blackhat DDoS / Backdoor Warning

Earlier this year, a new combination Distributed Denial of Service(DDoS) and backdoor was captured by the Honey Pot University. This tool has only recently been analysed and its details released.

The tool that was found was made to run on linux, however it is quite possible that versions exist for other UNIX-based operating systems. The key signature of this backdoor is its use of strange internet traffic for communications.

This 'feature' of the backdoor has some new implications:

The backdoor component of the tool can give a remote hacker access to execute commands on an already compromised machine. This along with the difficult-to-detect and firewall-passing aspects of the communications channel raises new possibilities for 'protected' machines to be backdoored and controlled.

The DDoS component of the tool also poses a very significant threat to the general Internet community. A hacker with enough 'zombie' machines infected with this tool has the ability to direct long-term network DoS attacks against a victim. This DoS traffic is in all cases able to appear from fake sources, making stopping a large attack extremely difficult.

Detection of this tool's presence is best done via watching a network for strange traffic / errors. Protection against this particular tool can be achieved through a properly configured firewall that blocks all traffic except what the network actually needs.

As usual, a hacker would require some form of access to a computer system that will allow them to run this tool in the first place. So preventing unauthorised persons from getting this access is still the key to defeating them.