Advisory
Honeypot University
Security Incident 0001 - TECHNICAL ADVISORY
May 31, 2002
netsecurity@honeyp.edu
We recently discovered a malicious binary on one of the honeyp.edu hosts. The binary was a static-linked C executable which appears to be an agent node in a Distributed Denial of Service (DDoS) scheme. We assume the binary was deposited subsequent to a root compromise achieved with other tools.
Obviously source code was not available, so we resorted to reverse-engineering techniques. Here are the defining characteristics of the binary we were able to determine:
- Binary name: the-binary
- Programming language: C
- Capabilities:
- Open remote root shell (csh) for connection on port 23281
- Coordinate with other node agents (the first "D" in DDoS)
- IP spoofing
- DNS query floods
- SYN floods
- Win packet fragmentation attack (i.e. Jolt2)
- Category of malware: DDoS (agent node)
- Communication protocol: Network Voice Protocol (NVP)
- Masquerading: presents itself to 'ps' command as mingetty process
- Control mechanism: custom IP packets which have been encrypted and disguised as NVP