The commands are recieved encoded in the body of packets marked at IP protocol 11. The commands provide the following functions:

• status query
return the current command.
• setup return address
specify where to return data too. The data may be sent to a single address or a a set of address may be specified or randomly generated.
• run command
Run the command and optionally return the output.
• dns attack
There are two forms of the dns attack. The first is an attack against a list of over 10,000 addresses included in the binary. Presumably, this is a list of NDS servers that were harvested at some point. The requests are all for SOA records for a number of top level domains com, net, edu, org, and ucs.edu. Addition queries are intended for SOA records fro de, es, gr, and ie. Those DNS queries howerever are invalid.

The second form sends the same set of queries as above to a single specified address.

• icmp attack
The icmp attack sends ICMP ECHO REQUEST packets to as specified address. The IP headers of these packets are malformed, however, in that while the fragment bit is not set, a fragment offset of 65520 is specified. The linux 2.4.17 kernel will not respond to such packets, the response of other operating systems is unknown. It appears likely that it is trying to overflow and OS buffer and cause a complete crash.
• udp attack
A UDP packet is sent to a specified address and either a specified or random port. The IP header of this packet has the same defect as the ICMP packets, namely that while the fragment bit is clear, an offset of 655?? is specified.
• shell server
Start listening on tcp port 23281 for incoming connects. Once a connection is made, verify that the first characters seen are "SeNiF\n". If the condition is met, the socket is connected to the standard I/O desciptors (stdin, stdout, and stderr) and a bourne shell exec'ed. This give the remote user full access to the machine.
• kill
All of the attacks plus the shell server run in a subprocess to the main program. This command kills the current attack.
• tcp attack
Send tcp SYN packets to a specified host and specified or random port. This is the classic SYN flood.

#define ENC_CONST   0x17
typedef unsigned char byte;

void enc(int n, byte *in, byte *out)
{
	int i;

	out[0] = in[0] + ENC_CONST;
	for(i=0; i<=n; i++)
		out[i] = (in[i] + out[i-1] + ENC_CONST);
}

#define ENC_CONST   0x17
typedef unsigned char byte;

void dec(int n, byte *in, byte *out)
{
	int i;

	for(i=n-1; i>0; i--)
		out[i] = in[i] - in[i-1] - ENC_CONST;
	out[i] = in[i] - ENC_CONST;
}

The various attacks are harder to identify since random values are used for port numbers, ids and ttl values. However, there are a few things we can look for. As discussed above, the udp and icmp attacks make use of malformed IP headers. We can therefore look for packets with the fragment bit clear and the fragment offset not equal zero. Other forms of invalid header values can also be used. One other consistent pattern is that the connection to the shell server is always on port 23???. To generalization this, on could look for incoming tcp connections to high number port (> 16000). This could pick up active ftp connections and p2p programs.

There are number small feature that make it more diffult to analise. All parameters are passed byte by byte (i.e 4 bytes for an ip address). There are a number of awkward programming sequences, and the decode routine appears much longer than a straight forward one.

For the most part, these feature don't really increase the skill required to investigate the program, but just makes it more tedious.