This malware in all likelihood is capable of infecting most modern linux distributions. The executable is static-linked based on libc5. Based on both observation of this program in action and on brief inspection of the binary it does not appear that it automatically makes any substantial or nefarious changes to files or data. While there has been no observation of worm behavior, the code does have the ability to open connections to other systems and could have unknown propagation capability.
executes a fork() call, changes it's name as seen by 'ps(1)' to "[mingetty]" listens for connections on protocol 11 ps output: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 10527 0.0 0.0 244 72 ? S 09:28 0:00 [mingetty] netstat -an output: Proto Recv-Q Send-Q Local Address Foreign Address State raw 0 0 0.0.0.0:11 0.0.0.0:* 7The binary may be detected at the host by observation of open network ports and the contents of the process table.The activity of this code can be also observed with any packet logging or sniffing system, Snort or other IDS systems.
At present it appears that the above Detection metrics and Details below represent all of the important features of the binary. It is possible that additional actions are built in, and there are a few clues that this binary may be an experiment including additional control / propagation facilities.
Probably the strongest evidence against this possibility is the appearant fact that outside of the honeynet project and it's release in the Reverse Challenge, there are no known reports of this code having actually propagated in the wild.
Because it runs with root privilege (and needs to in order to open the raw/low numbered socket) the remote attacker can probably obtain complete control of compromised systems.
There seem to be a few flaws in the code (or possibly additional capabilities). In sending various experimental control data to the binary, there were several occasions when the binary forked a new process which listened to a raw socket on protocol 255 (IANA Reserved). This process did not ever seem to read data which was sent to it. Also, while it takes care to encode it's command-replies, the plaintext of the command results, a portion of those results are replicated in the tail end of the reply packets. This may be simply the result of reuse of a data buffer.
This malware has the appearance of containing experimental facilities for more advanced or virulent propagation. While no such facilities were observed in practice, they may be suggested by the use of what appears to be a command byte in the network-data. Incoming data provided by Honeynet use the byte "0x02", while outgoing data, both provided by the challenge and observed in practice used the byte "0x03".
Further details may be found at analysis.html
Copyright © 2002 FW Systems LLC, All Rights Reserved