honeynet reverse challenge

PrevNext

Advisory

Honeypot University
Security Incident 0001 - TECHNICAL ADVISORY
May 31, 2002
netsecurity@honeyp.edu

We recently discovered a malicious binary on one of the honeyp.edu hosts. The binary was a static-linked C executable which appears to be an agent node in a Distributed Denial of Service (DDoS) scheme. We assume the binary was deposited subsequent to a root compromise achieved with other tools.

Obviously source code was not available, so we resorted to reverse-engineering techniques. Here are the defining characteristics of the binary we were able to determine:


PrevNext
summaryanalysis