Vulnerability Advisory

g0dzg1ft

HoneyNet Research Group

Ready Response/ISSO

Revision History
Revision 1.024th May 2002Revised by: _0bfu5cati0n
Release Version

"wtfu4" Distributed Denial of Service Tool

Overview

In 2002, one of our sites was compromised and a new distributed denial of service (DDOS) elf binary that is being called "wtfu4" was installed. The purpose of the tool is to enable the intruder(s) to initialise multiple requests to DNS servers to launch various denial of service attacks against a target system. These attacks include packet flooding and reflective DNS attacks.

Description

"wtfu4" is very similar to previous tools such as "Trinoo" and "mstream", but unlike these it has no password authentication. The can be seen running as a "[mingetty]" process in the process list. This process crafts forged packet headers and requires administrative (e.g., root) privileges to execute.

The intruder can control this Trojan remotely, by passing one of eleven commands. Simple commands issued to the executable are sent using a client, which encrypts all data before sending. There are certain default protocols and destination socket numbers the process utilises, these are all connections to raw sockets to increase the life expectancy of the tool by evading various scanning techniques and network monitoring tools.

It contains very little information, which can be deemed valuable when running 'strings' against the binary. Many of them see to be standard resolve library entries at first glance and there are no visible IP addresses. Here is an example of the output that has been edited to show easily identifiable items.

When an agent is first executed, it forks twice and spawns a "[mingetty]" process listening on a raw socket on port 11 (common systat port). Once this is active, it awaits commands from the intruder, which will instruct WTFU4 to carry out various types of attacks against a specified IP address using data requested from DNS servers.

The payload of wtfu4 is used for a packet flooding denial of service attack using TCP packets. These seem to vary in length and include:

  1. Spoofed source IP address

  2. Source TCP socket number

  3. Destination TCP socket number for each packet

The intruder can remotely instruct the binary to initiate an attack using certain commands, which are sent encrypted via the client in the packet. The command carried out also specifies an offset of the starting position for the payload / command to run.

Analysis

A full, detailed analysis of the tool, carried out by honeyp.edu, can be found here ("wtfu4 - Meltdown").

Impact

In general, Distributed denial of service(DDOS) tools are capable of producing high magnitude packet flooding denial of service attacks. The "WTFU4wtfu4" tool is capable of producing a severe denial of service condition against a victim's site. However, at this time, "wtfu4" does not contain any functionality that adds to the overall threat that is currently posed by DDOS tools that already exist in the wild.

When this was analysed, we believe the binary to be Highly optimised and it is also statically linked to the libc and resolver library to make reverse engineering this more difficult. We believe that the functionality of the tool may advance in the future, but the main difficulty will be the increased complexity of debugging the new versions, as we believe they will be optimised further.

Solutions

In order to reduce the number of DoS attacks, there are a number of ways you can protect yourself. These include:

  1. Egress filtering

    This prevents any packets with invalid or incorrect addresses from leaving your network. More information on this subject can be found in the SANS reading room.

  2. Ingress Filtering

    This method filters any IP packets with an un-trusted source addresses before they have a chance to enter and affect your system / network. (see http://www.landfield.com/rfcs/rfc2267.html)

  3. Snort Rules

    It is possible to configure snort to monitor for this type of network activity. This will enable an alert to be produced as soon as traffic matches this rule.

    
#Name: WTFU4 DOS Trojan
    #Group: DOS
    #Author: Sunzi Ping-fa
    #Email: sunzi@honeyp.edu
    #Modified: 5/26/2002 6:27:26 PM
    #-----------------------
    #
    alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"WTFU4 Client to Server"; content:"|0200|"; ip_proto:11; classtype:attempted-dos; priority:2; sid:1000001;)
    alert ip $HOME_NET any -> any any (msg:"WWTFU4 Server Detected"; content:"|0300|"; ip_proto:11; classtype:successful-dos; priority:2; sid:1000002;)

Further information on denial of service attacks can be found here

http://www.cert.org/tech_tips/denial_of_service.html

http://rr.sans.org/firewall/packet_filter.php