This binary has been found to be a program known as a “backdoor”. Backdoors are widely-used malicious programs that are usually installed on compromised systems to offer easier access (ie remote access or local privileges elevation). Instead of having to regain control of the machine by potentially difficult or sloppy methods, the cracker uses his backdoor to easily remotely or locally perform actions such as executing commands or even relaying to other computer systems. Additional usual functionalities include Denial of Service attacks launched from the compromised hosts.
In our case, the backdoor turns out to be a Linux backdoor, meaning it is aimed at subverting Linux-based compromised systems. Though we have no evidence about it, we can suppose this tool can be or has been ported to other Unix-like operating systems, no Linux-specific mechanisms being used.
In the following paragraphs, we will
discuss the main features of this backdoor. We will then discuss the threats it
poses to the
When run, the backdoor hides itself by changing its program name to a standard Linux
program name. It also contains several tricks that render reverse engineering
more difficult, though we do not exactly know if those are deliberate or are the result of bad coding from the author. We tend to
choose the 2nd cause.
The main feature of this backdoor is that it can be remotely triggered by network events. Those network events are special IP packets that are not normally found in the wild, and thus can be relatively easily seen. This remote operation mode works in a client-server fashion, the server being the compromised system, whereas the client is the computer cracker who installed the backdoor. Packets sent to the backdoors are orders telling it to take some actions depending on the content of the packets.
The backdoor has the ability to generate network noise (decoy packets) to dissimulate real backdoor packets in many decoys. These decoys are sent to eight random IP addresses, to make network analysis harder. This feature can remotely be turned off.
The backdoor works at the
“raw-socket level”, meaning that it catches and sends packets directly to the
network without having to use the Linux TCP/IP stack. This allows it to generate network packets as desired but also to
receive data without having to explicitly open network connections.
Because of the previous feature, it is possible for the client to send forged IP packets to the destination. Those forged packets can have forged source IP addresses; the only required valid field in the packet being the destination (compromised system) IP address. Responses however have to be sent to valid IP addresses if the cracker wants to get them.
The backdoor obfuscates its network traffic
by a simple byte
shuffle and arithmetic, rendering content analysis harder.
NOTE: we do
not here describe all functions; we only describe the main functionalities
offered by the backdoor. Please refer to the technical advisory for a
comprehensive list of remote functions.
The client can order the backdoor to remotely execute commands on the compromised system without bothering of the result of the command. This can for example be used to destroy the infected system, or to launch denial of service attacks against other systems.
The client can order the backdoor to launch a command on the compromised system and send output in network packets back to the client.
The client can remotely order the backdoor to terminate parts or all of itself.
The client has the ability to order the
backdoor to “bind a shell” on an hardcoded TCP port
(23281). Access to this shell is then password-protected, the password (SeNiF) being
also hardcoded in the binary. This functionality is aimed at executing
interactive commands on the target machine.
The client has the ability to order the backdoor to launch a Denial of Service attack to any target. The type of Denial involved here is known as “UDP DNS Reflection”.
The client has the ability to order the backdoor to launch a Denial of Service attack to any target. The type of Denial involved here is known as “TCP SYN Flood”.
The backdoor contains several other remotely callable functions, which have not yet been identified because of a lack of time for the analysis. Most of them are probably related to other Denial of Service attacks.
We reckon one more day would be appropriate to fully understand those remaining parts we did not manage to get in time.
We consider this backdoor as a medium risk threat. To our knowledge,
it is not in wide circulation. We thus assess here all threats we can see about
it.
First, it is obvious but nonetheless
important to remind that this binary has been found on a compromised
system. Understanding why the system has been compromised at the first place
would be also an important part of the incident handling work. Having it being
compromised by a known attack would demonstrate problems in the daily
enforcement of the HoneyPot security policy. Having it compromised by an
unknown vulnerability would certainly prove that the
As we saw in the Features paragraph, the
backdoor tries to hide itself in numerous ways. It is
thus possible that other backdoors may already been running on other university
systems, without anyone knowing about it.
As always in computer break-ins, it is
important to understand that even if the compromised system was not important,
the intrusion itself can become very important if the cracker uses the system
as a base for attacking others. Leaving on the network known compromised
systems can be disastrous for the reputation of the
The backdoor has the native functionality
of launching Denial of Service attacks to any host, specified by the client. It
is thus possible for the cracker to launch such attacks from the
Similar Denial of Service attacks have already in the past been successfully launched on major Web sites on the Internet, causing high damages like income losses. This tool can potentially be used to conduct such wide attacks.
(side effect) As detailed in the “Features” part of this document, the backdoor sends decoy packets to random locations on the Internet. More exactly, 8 decoys are sent by packet. This raises two problems:
- the backdoor could also be used as a traffic amplifier by malicious users, using the decoy functionality to generate traffic coming from the compromised system
-
the backdoor could randomly send packets to real locations on the
Internet, possibly triggering alarms at the remote side and involving the
IMPORTANT NOTE: We consider this backdoor as a medium risk threat. To our
knowledge, it is not in wide circulation. We thus assess here all threats we
can see about it.
Considering the two previous parts of this document, we recommend the following actions to be taken immediately (by order):
This can include, depending on the security
policy (which we did not have access to at the time of writing this document),
unplug the compromised system from the network, reporting the break-in to law
enforcement agencies.
A scanning program that remotely determines if a backdoor is installed on the target system can relatively easily be developed in-house, given the technical specifications described in this report. We recommend that the network staff scan the whole university network (including student machines if possible – see legal dept.).
Network signatures can be installed on certain machines (also called NIDS) to detect attempts to use the backdoor. These signatures could determine attempts at contacting the compromised system again or contacting other backdoors on the network.
It is possible to easily block incoming commands to the backdoor by denying incoming backdoor traffic.
It is also possible to lower the threat of the Denial of Service part of the tool by using “ingres filtering” at the main network points.