*******************************************************************
*                                                                 *
*         The "Nazgul" Attack tool: Technical Advisory            *
*                                                                 *
*******************************************************************

By G. Lamastra, P. Abeni, D. Sestito, E. Caprella
   F. Frosali, F. Coda Zabetta, G. Cangini
Be-Secure, Telecom Italia Labs
May 5th, 2002

The following advisory discusses the characteristics of the nazgul
attack tool. This is a binary caught in the wild on a compromised
Linux host; its name has been derived from the *nazgul* string
which has been identified in the .data portion of the binary.

The binary is a statically linked ELF executable; after reverse
engineering its souce code, we conclude that it is the zombie
server of a Distributed Denial-of-Service Network.

The nazgul communication protocol is based on IP protocol 11;
hence, the binary requires root privilege to run in order to
succesfully issue the raw socket syscall. Nazgul packets have
the following structure:
- 2 bytes of "signature" (payload[0] = 0x02, payload[1] = any)
- X bytes of data	 
The total size of the packet must be greater to 200,
otherwise the packet is not accepted.
Tha data is descrambled with the following function:
L = length(payload);
clear[2] = scrambled[2] - 23;
for (i = 3; i < L; i++) {
  clear[i] = scrambled[i] - scrambled[i-1] - 23;
}
The fourth byte (payload[3]) is a command code ranging between 
1 and 12, whis is used to select different functionalities and
attacks.

The zombie can execute 4 different kinds of attacks:
- A TCP SYN Flood against a given host:port
- An ICMP agains a given host
- A DNS Flood attack against a given host
- A DNS Flood attack against a set of 8000 hosts hard-coded in
  the binary program
  
Moreover, the zombie can execute a command on the victim host,
optionally providing the output data (from both stdout and stderr).
The data is obfuscated with a function which is the inverse
of the scramble function.

As last option, the zombie may spawn a password protected shell
on port 23281; the password has also been obfuscated and is equal
to SeNiF; the corresponding obfuscated string revealed in the binary
is TfOjG (SeNiF where each letter is substituted with the next in
the alphabet).

The binary can be recognized from the following strings:
 *nazgul*
 TfOjG
 [mingetty]
 @(#) The Linux C library 5.3.12

When active on the victim, the process will mask its presence by
changing its argv[0] to "[mingetty]". This is what will show up
after a ps, top or other similar command. If the exe link in the
/proc/ directory is checked, it will be easy to recognize
that it is not mingetty that is executing.
If the system has been trojaned, it is possible to use the client
we developed to send the shell spawning command; this will open
a TCP/23281 port, that will show up through NMap, netcat.
This is another signature of the Nazgul presence.

In order to limit the exposure to this binary, it is possible to
filter inbound/outboud IP protocol 11 and inbound connection to
23281/tcp ports.
These are two possible rules for an IDS:
- IP.Protocol == 11 and (payload[0] == 0x02 || payload[0] == 0x03)
- TCP.port = 23281

We believe that it is sufficient to remove the binary to sanitize
the system; however, since this zombie is usually installed after
a full root compromise, we cannot do any assumptions on other
system components; hence a full reinstall should be performed.