© by Als and Vizzy, 2002.
[Ukraine - United Kingdom] Team
summary.html
~~~~~~~~~~

[Overview]

The analysed binary appeared to be a sophisticated remote administration tool, which after been installed on a computer running Linux operating system, can be used later to gain unauthorised root access to that system and remotely instructed to perform several types of "flooding" denial-of-service attacks against specified IP address(es).

Such attacks consists of a stream of connection requests aimed at the target server. A relatively small flood of bogus packets on many systems will tie up memory, CPU, and applications, resulting in denied access to legitimate users and sometimes shutting down a server. The "binary" provides attacker with the most common and powerful types of flooding attacks. A single host launching a small SYN flood at its maximum rate can overload a remote host and cause significant damage. Attacker remains anonymous and doesn't need to consume his network resources, since all attacks use bandwith of a compromised system.

Those attacks made possible by exploiting flaws into common Internet protocols. They do not depend on victim operation system or installed software, appearing to be network-level attacks. Most network devices (including routers and NICs) are limited by packet processing rate, and an attacker will generally send small packets as quickly as possible to overload the network. These attacks cause legitimate packets to be dropped as network routers struggle to keep up with the combination of bogus and legitimate packets. Making them more difficult to resolve or prevent is the fact that attack traffic generally appears to be no different from legitimate user traffic.

"Backdoor" feature of the installed binary gives attacker, who knows password, access to the compromised system on the administrator level. Rest interaction is performed using a client-server architecture. Attacker has a client and constructs commands for the server (the-binary). Client sends specially made packets instructing server to perform arbitrary commands, choose attack types (TCP, DNS or UDP/ICMP flood) and target hosts. Simple encryption is used for all incoming commands and outgoing results. Binary runs on a system under the name of "[mingetty]", pretending to be a harmless common unix daemon. There are no any other trojan/worm or destructive functions implemented, however threat for the compromised system is up high now, since attacker could take any action on the system, such as deleting data or adding new users with root access.

[Detecting and Defending]

The best way to avoid installations of such tools on your system is to stop them before they enter your system. To install a remote-access binary, an intruder still must gain unauthorized root access to your server using traditional methods, such as exploiting known vulnerabilities or even practicing social engineering to get the password information from a well-meaning person who happens to have it.

After binary is installed, how fast it'll be found depends only on a system administrator. For him it is always important to determine the role of the tools currently installed on the system. The new daemon appeared on a process list should immediately draw administrator's attention. Then, even just by retriving text strings from a binary it should be obvious that the thing is bogus. Program should be disabled and copy passed to a security experts for a forensical analysis and identifying. Once done, unique fingerprint of the binary could be produced and added to a database of the known malware.

The next and most important thing for administrator to do is to find out how system was initially compromised. Look for evidence of intrusions in logs, IDS systems etc.

To prevent future threats, remain current with security-related patches to operating systems and applications software. Follow security best practices when administrating networks and systems.

The existence of such attacks and tools shows that someone's security (or lack of it) can cause serious harm to others, even if intruders do no direct harm to initially compromised system. Defending against flooding attacks as well requires many to participate. All providers of Internet connectivity should implement packet filtering to prohibit attackers from using forged source addresses which do not reside within a range of legitimately advertised network range. An additional benefit of implementing this type of filtering is that it enables the originator to be easily traced to it's true source, since the attacker would have to use a valid, and legitimately reachable, source address.