Executive summary

Overview

HoneyPot University has mandated Secway SARL to analyze a binary file found on a compromised system.

 

This binary has been found to be a program known as a “backdoor”. Backdoors are widely-used malicious programs that are usually installed on compromised systems to offer easier access (ie remote access or local privileges elevation). Instead of having to regain control of the machine by potentially difficult or sloppy methods, the cracker uses his backdoor to easily remotely or locally perform actions such as executing commands or even relaying to other computer systems. Additional usual functionalities include Denial of Service attacks launched from the compromised hosts.

 

In our case, the backdoor turns out to be a Linux backdoor, meaning it is aimed at subverting Linux-based compromised systems. Though we have no evidence about it, we can suppose this tool can be or has been ported to other Unix-like operating systems, no Linux-specific mechanisms being used.

 

In the following paragraphs, we will discuss the main features of this backdoor. We will then discuss the threats it poses to the HoneyPot University security policy, and finally see how to detect and defend against it or similar backdoors.

Key features

·        Generic features

Hiding and anti-debugging

When run, the backdoor hides itself by changing its program name to a standard Linux program name. It also contains several tricks that render reverse engineering more difficult, though we do not exactly know if those are deliberate or are the result of bad coding from the author. We tend to choose the 2nd cause.

·        Network features

Remote operation

The main feature of this backdoor is that it can be remotely triggered by network events.  Those network events are special IP packets that are not normally found in the wild, and thus can be relatively easily seen. This remote operation mode works in a client-server fashion, the server being the compromised system, whereas the client is the computer cracker who installed the backdoor. Packets sent to the backdoors are orders telling it to take some actions depending on the content of the packets.

Automatic decoys generation

The backdoor has the ability to generate network noise (decoy packets) to dissimulate real backdoor packets in many decoys. These decoys are sent to eight random IP addresses, to make network analysis harder. This feature can remotely be turned off.

Raw-level network operations

The backdoor works at the “raw-socket level”, meaning that it catches and sends packets directly to the network without having to use the Linux TCP/IP stack. This allows it to generate network packets as desired but also to receive data without having to explicitly open network connections.

Spoofed source addresses

Because of the previous feature, it is possible for the client to send forged IP packets to the destination. Those forged packets can have forged source IP addresses; the only required valid field in the packet being the destination (compromised system) IP address. Responses however have to be sent to valid IP addresses if the cracker wants to get them.

Basic content encryption

The backdoor obfuscates its network traffic by a simple  byte shuffle and arithmetic, rendering content analysis harder.

·        Remote functionalities

NOTE: we do not here describe all functions; we only describe the main functionalities offered by the backdoor. Please refer to the technical advisory for a comprehensive list of remote functions.

Remote commands execution, “blind” version

The client can order the backdoor to remotely execute commands on the compromised system without bothering of the result of the command.  This can for example be used to destroy the infected system, or to launch denial of service attacks against other systems.

Remote commands execution, “non-blind” version

The client can order the backdoor to launch a command on the compromised system and send output in network packets back to the client.

Remote “kill”

The client can remotely order the backdoor to terminate parts or all of itself.

Remote commands execution, “bindshell” version

The client has the ability to order the backdoor to “bind a shell” on an hardcoded TCP port (23281). Access to this shell is then password-protected, the password (SeNiF) being also hardcoded in the binary. This functionality is aimed at executing interactive commands on the target machine.

“DNS Reflector” Denial of Service attack

The client has the ability to order the backdoor to launch a Denial of Service attack to any target. The type of Denial involved here is known as “UDP DNS Reflection”.

“TCP SYN Flood” Denial of Service attack

The client has the ability to order the backdoor to launch a Denial of Service attack to any target. The type of Denial involved here is known as “TCP SYN Flood”.

Other functions, unidentified

The backdoor contains several other remotely callable functions, which have not yet been identified because of a lack of time for the analysis. Most of them are probably related to other Denial of Service attacks.

 

We reckon one more day would be appropriate to fully understand those remaining parts we did not manage to get in time.

Threats

We consider this backdoor as a medium risk threat. To our knowledge, it is not in wide circulation. We thus assess here all threats we can see about it.

·        Root causes of the break-in

First, it is obvious but nonetheless important to remind that this binary has been found on a compromised system. Understanding why the system has been compromised at the first place would be also an important part of the incident handling work. Having it being compromised by a known attack would demonstrate problems in the daily enforcement of the HoneyPot security policy. Having it compromised by an unknown vulnerability would certainly prove that the HoneyPot University is an important target to some, and investigations have to be launched to know exactly why and who.

·        Possibly more backdoored systems

As we saw in the Features paragraph, the backdoor tries to hide itself in numerous ways. It is thus possible that other backdoors may already been running on other university systems, without anyone knowing about it.

·        Attacks relayed from HoneyPot University

As always in computer break-ins, it is important to understand that even if the compromised system was not important, the intrusion itself can become very important if the cracker uses the system as a base for attacking others. Leaving on the network known compromised systems can be disastrous for the reputation of the HoneyPot University, and can involve it in numerous juridical troubles such as cracking cases.

·        MEDIUM/HIGH RISK Network traffic and Denial of Service threat

The backdoor has the native functionality of launching Denial of Service attacks to any host, specified by the client. It is thus possible for the cracker to launch such attacks from the HoneyPot University and thus to consume HoneyPot University’s computing resources for malicious actions. This of course poses the threat of the network resources consumption but is a high risk of involving the HoneyPot University in legal and public relations threats, its systems appearing as the source of Denial of Service attacks.

Similar Denial of Service attacks have already in the past been successfully launched on major Web sites on the Internet, causing high damages like income losses. This tool can potentially be used to conduct such wide attacks.

 

(side effect) As detailed in the “Features” part of this document, the backdoor sends decoy packets to random locations on the Internet. More exactly, 8 decoys are sent by packet. This raises two problems:

-         the backdoor could also be used as a traffic amplifier by malicious users, using the decoy functionality to generate traffic coming from the compromised system

-         the backdoor could randomly send packets to real locations on the Internet, possibly triggering alarms at the remote side and involving the HoneyPot University in an unwanted matter.

 

Actions to be taken

IMPORTANT NOTE: We consider this backdoor as a medium risk threat. To our knowledge, it is not in wide circulation. We thus assess here all threats we can see about it.

 

Considering the two previous parts of this document, we recommend the following actions to be taken immediately (by order):

·        Follow the standard HoneyPot University rules for a break-in

This can include, depending on the security policy (which we did not have access to at the time of writing this document), unplug the compromised system from the network, reporting the break-in to law enforcement agencies.

·        Scan the whole HoneyPot University network for such backdoors

A scanning program that remotely determines if a backdoor is installed on the target system can relatively easily be developed in-house, given the technical specifications described in this report. We recommend that the network staff scan the whole university network (including student machines if possible – see legal dept.).

·        Install signatures to detect attempts to use this backdoor

Network signatures can be installed on certain machines (also called NIDS) to detect attempts to use the backdoor. These signatures could determine attempts at contacting the compromised system again or contacting other backdoors on the network.

·        Install network filtering

It is possible to easily block incoming commands to the backdoor by denying incoming backdoor traffic.

It is also possible to lower the threat of the Denial of Service part of the tool by using “ingres filtering” at the main network points.