Identify and explain the purpose of the binary.

It's a backdoor and DoS program. It allows to take control of the remote box using RAW packet and launch DoS attacks.

Identify and explain the different features of the binary. What are its capabilities?

The process hides itself, it changes its name to [mingetty]. It can be controlled via Internet, there are 12 functions

1 Get Status/Current attack number
2 Set IP client address for network response, included or not fake IP
3 Remote command execution where output is redirected to client
4,9 DNS queries of servers
5 ICMP or UDP flood with fragmented packet
6 Bind a TCP shell on port 23281 protected with password "SeNiF"
7 Blind remote command execution
8 Stop attack (4-6,9-12)
10,11 TCP Syn flood
12 DNS flood

Only one attack can be done at the same time.
Network control data are encoded.

The binary uses a network data encoding process. Identify the encoding process and develop a decoder for it

The encoding/decoding process

void decrypt(const unsigned char *src,unsigned char *dst, const int len)
{
  int i;
  for(i=len-1;i>0;i--)
    dst[i]=src[i]-src[i-1]-0x17;
  dst[0]=src[0]-0x17;
}

void encrypt(const unsigned char *src,unsigned char *dst,const int len)
{
  int i;
  dst[0]=src[0]+0x17;
  for(i=1;i<len;i++)
    dst[i]=dst[i-1]+src[i]+0x17;
}

Network protocol

IP protocol of control packet must be 0x0B (nvp). Packet size must be bigger than 200 bytes (including ip header=20 bytes).

Offset in IP Data Data
01 2: Request
3 Reply
03 Encoded Request/Reply data


1 - Get Status/Current attack number

Request packet format: The request data contains only the function number

Offset in decoded data Data
01 1

Reply packet format:

Offset in decoded data Data
01 1
03 ==0 non working
!=0 working
04 if working, current command/attack number

Use function 2 to configure where the reply must be send.

2 - Set IP client address for network response, included or not fake IP

Request:

Offset in decoded data Data
01 2
02 ==0 send results only to this adress
==2 send results to his address and another one
other send results to this address and to 9 random hosts
03-06 Hacker address

3 - Remote command execution where output is redirected to client

Request:

Offset in decoded data Data
01 3
02- command stripped

Reply:

Offset in decoded data Data
01 3 (first packet)
5 (next packets)
02-400 command output
401 garbage

Use function 2 to configure where the reply must be send.

4 - DNS queries of servers

Request:

Offset in decoded data Data
01: 4
02-05: IP source
06-07: UDP source port
08: !=0 use following name for IP source
09: source name

DNS server list is hard coded in the-binary, idem for the 10 DNS query.

5 - ICMP or UDP flood with fragmented packet

ICMP packet have the structure of an ICMP echo-request but because there is an IP offset (packet is fragmented), it's not the ICMP header.
Request:

Offset in decoded data Data
1: 5
2: ==0 ICMP
!=0 UDP
3: UDP source port
4-7: IP source
8-11: IP destination
12: !=0 use following name for IP destination
13: destination name

6 - Bind a TCP shell

Request:

Offset in decoded data Data
1: 6

To connect, telnet on port 23281 and enter the password "SeNiF".

7 - Blind remote command execution

Request:

Offset in decoded data Data
1: 7
2-: command string

8 - Stop attack (4-6,9-12)

Request:

Offset in decoded data Data
1: 8

9 - DNS queries of random servers

Request:

Offset in decoded data Data
1: 9
2-5: IP source
6: foo
7-8: UDP source port
9: !=0 use following name for IP source
10-: source name

Function 4 is equivalent to function 9 with foo=0.

10 - TCP Syn flood

Request:

Offset in decoded data Data
1: 10
2-5: IP source
6-7: TCP destination port
8: ==0 Use IP source
!=0 Random IP source
9-12 IP destination
13 ==0 Use IP destination
!=0 Use following name for IP destination
14-: Destination name

11 - TCP Syn flood

Request:

Offset in decoded data Data
1: 11
2-5: IP source
6-7: TCP destination port
08: ==0 Use IP source
!=0 Random IP source
09-12: IP destination
13: foo
14: ==0 Use IP destination
!=0 Use following name for IP destination
15-: Destination name

Function 10 is equivalent to function 11 with foo=0.

12 - DNS flood

Offset in decoded data Data
1: 12
2-5: IP destination
6-9: IP source
10: foo
11-12: UDP source port
13: ==0 Use IP sourcei
!=0 Use following name for IP source
14-: Source name

You can find here a C source using libpcap to analyse network traffic between the hacker and this program. To send command to the-binary, you can use this.

Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.

This network traffic can be detected because it uses an unusual IP protocol (0x11 Network Voice Protocol). Usual traffic are TCP,UDP and ICMP and sometimes IGMP. Analysis of firewall log can be usefull to detect this network traffic if it's forbidden traffic. Statistics analyse (RRDTool, Netflow, see DDoS detection from Protecting your IP Network Infrastructure) can be usefull to detect the DoS or this traffic.

Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.

The binary uses static library, information is stripped and there is no usage or information display.

I's difficult to debug a program using fork. I have patched the binary to remove some call to fork (Replace by a xor %eax,%eax and some nops), it becomes easy to put breakpoint with gdb and analyze the file.

Identify two tools in the past that have demonstrated similar functionality.

Q by Mixter Trinoo http://staff.washington.edu/dittrich/misc/trinoo.analysis TFN Tribe Flood Network http://staff.washington.edu/dittrich/misc/tfn.analysis

What kind of information can be derived about the person who developed this tool? For example, what is their skill level?

The tool the-binary looks like a patchwork of different functions (copy/paste...). DNS resolution can be done in the client, there is no reason to do them in the server. Some parameters are without effect (see foo variable). The author seems to have limited programming skills.

I didn't find the meaning to the password SeNiF

What advancements in tools with similar purposes can we expect in the future?

Modern DDoS tool supports parallel attacks. The telnet backdoor can be improved: it can be interesting to be able to choose the TCP port, to encrypt the traffic. Data can be encrypted with strong cryptography (RC4,twofish...). Reverse shell function is missing, a remote update/file transfert function can be added too.