1. Identify and explain the purpose of the binary.
The-binary is, in a word, backdoor acting as a DOS agent. It binds to linux raw socket
and listens on protocol 0xb(11). It's a proprietary protocol for the backdoor which
is not used generally. So if you monitor only well known protocols, such as TCP,UDP,ICMP,IGMP,etc,
you can miss the traffic.
This backdoor can be used as a DOS agent, which generates UDP DNS packets or SYN
flooding packets. Because this backdoor uses raw socket for it's communication channel,
the source address of the IP packet can be forged, and the source of command is
not correct. So, you can't trace the one who sent the command packet.
If the sender of the forged packet wants to get the response back, he can set the
"master" address with some command packet.
2. Identify and explain the different features of the binary. What are its capabilities?
The binary uses a network data encoding process.
And uses raw socket for it's communication.
It has decoy mode, which make the traceback more difficult. Throuth operation mode
2, it sets true master server IP address. And with random number generator, generates
extra 8 more IP addresses for random. Theses addresses are used as decoy IPs. So
the backdoor response packet is alway sent to the 9 hosts, including one true master
IP.
It has some operation mode determined by the third byte of the decrypted data.
The operation mode is from 0 ~ 0xb(11).
Operation Mode 0. This is a test operation mode, which responds with re-encrypted packet.
Operation Mode 1. sets master server IP address which wants to get the response packet.
Operation Mode 2. execute command from command packet and stores it to /tmp/.hj237349 file and read it and encrypt. Then sends it through 0xb protocol packet.
Operation Mode 3. generates UDP DNS packet for DOS attack.
Operation Mode 4. send UDP or ICMP packet to the destination pointed by the command packet.
Operation Mode 5. spawn port bind shell on TCP port 23281. The password is "SeNiF". You must type the password to use the shell.
Operation Mode 6. execute command using csh and kill it after 9 seconds later.
Operation Mode 7. kill forked child(some operation mode forks child which works for infinitely).
Operation Mode 8. Send DNS packet to the host assigned by the command packet. It's a kind DOS attack. And eats up the bandwidth.
Operation Mode 9. Send syn flood attack packet.
Operation Mode a. Send syn flood attack packet.
Operation Mode b. Send forged DNS UDP packet for DOS attack.
3. Identify the encoding process and develop a decoder for it
Encoding process is so simple and you can develop decoding routine easily. You can
refer to the function(0x804a1e8: decrypt_packet_data) for reference. It's like a
puzzle game, and no special cryptographical algorithm is introduced.
Algorithm:
it starts from the last byte of the buffer. The last byte of the buffer minus the
one before the last byte of the buffer is calculated. And from this value minus
23 is done. And if the result value is little than 0, add 0x100 till it becomes
positive number. This value is the last byte of the decrypted buffer.
The process above is done on the byte before the one above. When it reaches the
first byte of the buffer, the byte itself minus 23 is used for the value.
The decoder process:
The packet uses 0xb protocol and the IP's data part is the encoded data. Firstly,
you must the convert binary file to text file. By using ethereal and print out to
the file you can achieve this. This file will be used as extract_data.pl file's
first argument. You can extract the data part using extract_data.pl and each packet
data is stored to the sequential filename with .dump filename extension.
The command './decrypt <filename>' decrypts file to be decrypted.
The result data is printed out to the STDOUT. With the use of decrypt.sh you can
batch process all the files. And the results will be stored to the *.dec files.
All the code and output files are decrypter.tar in files.tar.
decrypt.c
------------------------------------------------------------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
/*
date: 2002.05.28
mat@monkey.org
*/
void dump_hex(char *buffer,int len)
{
int i,j;
printf("==============================\n");
for(i=0;i<len;i+=16)
{
for(j=i;j<i+16;j++)
{
printf("%.2x ",buffer[i+j]&0xff);
if(j%4==3)
{
printf("|");
}
}
for(j=i;j<i+16;j++)
{
if(isprint(buffer[i+j]))
{
printf("%c",buffer[i+j]&0xff);
}else{
printf(".");
}
}
printf("\n");
}
printf("\n");
fflush(stdout);
}
void decrypt_data(char *input_buffer,int input_buffer_len)
{
char output_buffer[1024]={0,};
char local_buffer[1024]={0,};
int input_buffer_i=input_buffer_len-1;
int tmp_var;
int res_var;
int i;
int edx;
int op_code;
int address_mode;
while(input_buffer_i>=0)
{
if(input_buffer_i==0)
{
tmp_var=input_buffer[0];
}else{
tmp_var=input_buffer[input_buffer_i]-input_buffer[input_buffer_i-1];
}
res_var=tmp_var-23;
if(res_var<0)
{
while(res_var<0)
{
res_var+=0x100;
}
}
memcpy(local_buffer,output_buffer,input_buffer_len);
output_buffer[0]=res_var;
if(input_buffer_len>1)
{
for(i=1;i<input_buffer_len;i++)
{
output_buffer[i]=local_buffer[i-1];
}
}
sprintf(output_buffer,"%c%s",res_var,local_buffer);
input_buffer_i--;
}
#define BASE 2
op_code=output_buffer[BASE+1]-1;
printf("op_code: %d\n",op_code);
switch(op_code)
{
case 1:
address_mode=output_buffer[BASE+0x2];
printf("address_mode: %d\n",address_mode);
if(address_mode==2)
{
for(i=0;i<9;i++)
{
printf("%d.%d.%d.%d\n",output_buffer[BASE+0x3+4*i],output_buffer[BASE+0x4+4*i],output_buffer[BASE+0x5+4*i],output_buffer[BASE+0x6+4*i]);
}
}
if(address_mode==1)
{
printf("address: %u.%u.%u.%u\n",output_buffer[BASE+0x3]&0xff,output_buffer[BASE+0x4]&0xff,output_buffer[BASE+0x5]&0xff,output_buffer[BASE+0x6]&0xff);
}
}
dump_hex(output_buffer,input_buffer_len);
}
void main(int argc,char *argv[])
{
char *input_filename;
int input_fd;
char onechar;
char buffer[1024];
int rc;
if(argc<2)
{
fprintf(stderr,"usage: %s <file name>\n",argv[0]);
fflush(stderr);
return;
}
input_filename=argv[1];
input_fd=open(input_filename,O_RDONLY);
if(input_fd<0)
{
fprintf(stderr,"open failed: %s\n",input_filename);
fflush(stderr);
exit(0);
}
while((rc=read(input_fd,(void *)buffer,sizeof(buffer)))>0)
{
printf("rc is %d\n",rc);
decrypt_data(buffer,rc);
}
close(input_fd);
}
------------------------------------------------------------------
4. Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.
This kind of traffic, using unassigned and not used IP protocol is not so hard to
detect. But if your IDS or firewall ignores this kind of traffic, it's so big problem.
And IP protocol number can be used for backdooring purpose. And even simple encryption
can defeat IDS's pattern matching process.
You must introduce statistical approach to the IDS system. And watch out for abrnormal
traffic.
5. Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.
* Changes its name to [mingetty] at startup. Mingetty is a usual and default running
process for many Linux systems.
* Static password is not used directly. It's scrambled. In operation mode 5, the
password is encoded in simple method, the string found in the binary 0x8067617:
"TfOjG" is not the encoded one. Each character minus one is the correct one. "SeNiF"
is the correct password for this bind shell. Some simple encoding like this makes
the reverse engineering more difficult and time consuming. This is showed in the
oper5 backdoor connection.
* The command channel uses raw socket and uses protocol 0xb(11), which is not common.
The protocol is not general one, you can miss it when using packet dumper. And for
the ecryption is not general one, you must make decryption tool to analyze this
protocol.
* The-binary is statically compiled. It's so big problem for reverse engineers to
identify statically compiled and stripped binary. Much time takes to identify all
the simple libc functions.
* It uses fork to gdb running more difficult. Some technique is needed to debug child
process. I think it's not intentional.
6. Identify two tools in the past that have demonstrated similar functionality.
I searched packetstorm and found similar backdoors using raw socket,encryption.
* Q-0.9.tgz
By Mixter
Nov 22 13:09:07 1999
29b5c339905f4426ee32f8b384efef18
First public release of Q - a client / server backdoor with strong (256 bit AES)
encryption for remote shell access. Also supports encrypted tcp relay/bouncer server
that supports normal clients (with a local encryption tunneling daemon). Includes
stealth features like activation via raw packets, syslog spoofing, and single-session
servers that prevent it from appearing in netstat.
http://packetstormsecurity.nl/groups/mixter/Q-2.4.tar.gz
* udp_backdoor.tar.gz
http://packetstormsecurity.nl/UNIX/penetration/rootkits/udp_backdoor.tar.gz
By Plastek
Feb 21 23:06:24 2002
e631d34f6472356f7a8695a2650e6197
UDP backdoor which uses raw sockets. It spoofs the packets origin address when communicating
with the server end of the backdoor. It also uses encryption, and has several methods
of security through obscurity.
|