*******************************************************************
*                                                                 *
*         The "Nazgul" Attack tool: Non-technical Summary         *
*                                                                 *
*******************************************************************

By G. Lamastra, P. Abeni, D. Sestito, E. Caprella
   F. Frosali, F. Coda Zabetta, G. Cangini
Be-Secure, Telecom Italia Labs
May 5th, 2002

The following note details some essential characteristics of the
Nazgul Attack Tool. This is the zombie component of a distributed
denial-of-service network.
The binary is statically linked and contains a "*nazgul*" string
which makes it possible to mark it.
The tool is installed after a full system compromise and allows
a remote attacker to access the system whenever it wants or to
use it in a coordinated denial-of-service attack.

The tool will hide its presence by changing its name to "[mingetty]",
which is commonly used for virtual consoles; this is the name that
will be showed up after executing ps or top.
However, nazgul can be recognized looking at the corresponding
PID entry in the /proc filesystem and examining where the exe link
is pointing.

The tool will accept IP packets from the network with a
protocol field equal to 11. These packets are used to carry
control messages back and forth from the zombie and the control
system.

The tool accepts several different commands, which can be used
to execute commands remotely, to spawn a remote shell or to
launch various kind of packet floods toward a specific system.
Obviously, the main risks associated with it are the following:
- The zombie can be used to flood other system
- The zombie allow unauthorized access and command execution on
  the victim system
  
A possible solution to isolate the Nazgul Attack Tool is filtering  
inbound/outbound packets with an IP protocol matching 11.