1) Identify and explain the purpose of the binary. The binary is a "all in one wonder" . That means if the binary is installed an running on one system a remote attacker can remotely execute arbitrary commands on the system and can flood another computers. Basicly it's a Control and Flood tool. 2) Identify and explain the different features of the binary. What are its capabilities? a) Stealth and spoofed remote control of a system. This mean that an attacker can send a single crypted packet to the system and can execute a command or a set of commands . The IP source of the attacker can be spoofed and by using this technique hacker tracking is a hard job. b) Flood - UDP using DNS Smurf Type of attack see http://teso.scene.at/advisories/teso-advisory-003.tar.gz ( TESO Team DNS SMURF advisory ) - SYN flood simmilar to stream http://staff.washington.edu/dittrich/misc/ddos/stream.txt ( BUGTRAQ threads on the stream.c DoS attack and its fallout ) 3) The binary uses a network data encoding process. Identify the encoding process and develop a decoder for it The packet decoder routine can be found in executable at offset ( file offset ) 0x021E8 or when executable is loaded in memory at 0x0804A1E8 More informations on this can be found in analysis.html 4) Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well. Since the comunication betwen attacker and victim is done using protocol 11 like shown in the below traffic: root@analize# tcpdump -n tcpdump: listening on eth1 02:45:40.810845 arp who-has 192.168.1.2 tell 192.168.1.1 02:45:40.811673 arp reply 192.168.1.2 is-at 0:80:c7:75:c9:84 02:45:40.811695 192.168.1.1 > 192.168.1.2: ip-proto-11 215 you can use Snort (http://www.snort.org) and the following rule alert ip !$HOME_NET any -> $HOME_NET any (msg: "the-binary attacker to client traffic detected"; ip_proto: 11; ) or you can use tcpdump ip proto 11 to see the traffic. 5) Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered. First of all the-binary comes without the debugging information. Usualy the coder does not bother to strip the executable. Once is started it will check for root privilege. if executable is run from a normal user it will just exit. To make things a bit more complicated after run it will fork and exit . To analize it is require to run executable , then gdb and manually attach the process. 6) Identify two tools in the past that have demonstrated similar functionality. One tool that demonstrate the similar functionality is http://packetstorm.dnsi.info/distributed/knight.c" knight.c ( the main difference is that knight uses IRC network for command instead of ip-protocol-11 ) Another tool is http://packetstormsecurity.com/distributed/TFN2k_Analysis-1.3.txt Tribe Flood Network 2000 ( tfn2k ) ( comunication betwen master and agent is done without confirmations and using a random protocol ( udp , tcp , icmp ) ) Bonus: ====== What kind of information can be derived about the person who developed this tool? The person who developed this tool knows pretty well network programming and developed this tool with and intends to make it "better" . An argument for this is the command field used in packet (function number) My guess is that this program is not on his first version due to the duplication of some flood functions. The coder usualy add a new flood function when a new type of attack becomes available , and he does not bother to erase the old functions. More details on the functions included in the-binary can be found in analysis.html What advancements in tools with similar purposes can we expect in the future? Since this tool is only used in user space i guess it comes with some method to hide it from sysadmin eye . Another probably advancement will be burned eye executable . That means a number of crypting layers will be added to the executable to protect them from beeing analysed ( we already saw this one on sshd exploit from teso ). A tutorial about dealing with such executables will be released soon . A alfa version of the OpenEye versus BunedEye is already to romanian white hats since January . Another imporvement can be inclusion of the known exploits and the posibility to ease the update of the executable remote ( this can be done manually using the current executable and shell scripts ) Another impovement on this kind of tools will probably be the Distributed functions to transform them into DDOS tools. On the packet crypting layers we can expect strong crypto to be used.