Advisory

Abstract

A new attack tool, used by the blackhat community has been discovered and reverse engineered, it turns out that our network has been used as a slave in a Distributed Denial of Service (DDoS) attack. Among with the DDoS features the tool also allowed a remote hacker to take over the system completely by means of a rootshell bound to a port and the possibility to execute single commands.

Detecting an infection on network scale

First of all make sure you watch your network for traffic on non standard IP protocols, this tool is using IP protocol 11 (NVP) to distribute its commands, but variants could be using another protocol. You can easily configure snort to warn you if this kind of traffic is detected by enabling the 'Non-Standard IP protocol' and 'Unassigned/Reserved IP protocol' rules in the bad-traffic.rules file.
Other signs of an infection would be attempted DoS attacks launched from these machines, most of these attacks include spoofed source addresses, so make sure you're router or firewall logs and blocks all spoofed packets that clients attempt to send out. See RFC 2827 for more information.

Detecting an infection at a host

If a host is infected it is listening for data on a non standard protocol, you can see if it does by doing a netstat -an | egrep ^raw. And checking if there are other protocols than tcp, udp and icmp listening. Example on an infected machine:

testbox:~# netstat -a | egrep ^raw
raw        0      0 *:11                    *:*                     7
raw        0      0 *:icmp                  *:*                     7
raw        0      0 *:tcp                   *:*                     7

The line that says *:11 means it is listening for protocol 11, so this machine is infected!

Cleaning an infection

The tool usually hides itself as a [mingetty] process. This way it fakes to be a swapped out process but it is not in the ps aux output look for processes called [mingetty] that have either a higher PID than other mingetty processes or does not have the W flag set. Another method if identifying the process the attack tool is running under is by using lsof to list open files.

testbox:/proc# lsof | grep raw
the-binar 194 root    0u   raw                        193 00000000:000B->00000000:0000 st=07

Shows that this machine is infected and shows that the tool is running as pid 194.

Cleaning an infection

When a machine is infected this means that not only the attack tool is running there but also that there is a remotely exploitable hole in the machine, otherwise the tool could not have been installed! Be sure to update the machine with all vendor supplied patches before bringing it back onto the network. You could use a tool like Nessus to test the machines in your network for remotely exploitable holes. After you are sure the system is secure again remove the tool by killing its process and removing the binary from the system.

Being prepared for attacks

An important part of securing systems is to be prepared for attacks and to know the hacker's tools. Be sure you are subscribed to the same mailing lists the blackhat's are subscribed to (i.e. bugtraq) and regularly monitor webpages that contain exploits (for example Packetstorm) to discover trends and other information on the tools that WILL be used against you some day!

Conclusion

We have to take better care of keeping all of our systems secure, the fact that machines have been infected by this tool indicates that they were vulnerable to remotely exploitable attacks. Be sure to install snort rules to detect infections by this tool on a network scale and install firewall rules that will block IP spoofing from within our network. Please report on the vulnerabilities you find on the machines you clean of the DDoS tool to allow better security monitoring on our network.