Technical Advisory: new attack tool: Grand Nagus

A new DDoS agent program has been found in the wild and reverse engineered as part of a challenge from the Honeynet project.

The program provides a weakly encrypted back channel and implements basic UDP, ICMP and SYN floods and also a new indirect attack abusing public DNS servers. The agent can be configured using the back channel even with spoofed packets with wrong source IP, and it can send the answer to 10 hosts to provide some deniability. This makes tracing the controller of the agent hard.

The control channel uses IP packets with the IP protocol set to 11. 11 is not a well-known IP protocol and can be safely dropped at the firewall, thus disabling the control channel.

The control channel is encrypted using a trivial algorithm involving adding 23 and the previous character in the string. Once the agent is running, it can also be used to run arbitrary shell commands on the host. The agent sets its argv[0] to "[mingetty]" to avoid detection. It can be identified using lsof (a mingetty with an open raw socket) or strace -p (mingetty blocks in read, this binary blocks in recv).

ISPs can install an egress filter (block outgoing traffic with a source IP outside of their own address range) to make the agent much less useful as attack weapon. Agents on the machines of their users can only launch attacks against other users of the same ISP then.

The binary we found has a size of 205108 bytes and an MD5 checksum of 1d726de4f7fe7e580c8fad4b3e4703f6.