It's a backdoor and DoS program. It allows to take control of the remote box using RAW packet and launch DoS attacks.
The process hides itself, it changes its name to
[mingetty]
. It can be controlled via Internet, there
are 12 functions
1 | Get Status/Current attack number |
2 | Set IP client address for network response, included or not fake IP |
3 | Remote command execution where output is redirected to client |
4,9 | DNS queries of servers |
5 | ICMP or UDP flood with fragmented packet |
6 | Bind a TCP shell on port 23281 protected with password "SeNiF" |
7 | Blind remote command execution |
8 | Stop attack (4-6,9-12) |
10,11 | TCP Syn flood |
12 | DNS flood |
Only one attack can be done at the same time.
Network control data are encoded.
void decrypt(const unsigned char *src,unsigned char *dst, const int len) { int i; for(i=len-1;i>0;i--) dst[i]=src[i]-src[i-1]-0x17; dst[0]=src[0]-0x17; } void encrypt(const unsigned char *src,unsigned char *dst,const int len) { int i; dst[0]=src[0]+0x17; for(i=1;i<len;i++) dst[i]=dst[i-1]+src[i]+0x17; }
IP protocol of control packet must be 0x0B (nvp). Packet size must be bigger than 200 bytes (including ip header=20 bytes).
Offset in IP Data | Data |
01 | 2: Request 3 Reply |
03 | Encoded Request/Reply data |
Request packet format: The request data contains only the function number
Offset in decoded data | Data |
01 | 1 |
Reply packet format:
Offset in decoded data | Data |
01 | 1 |
03 | ==0 non working !=0 working |
04 | if working, current command/attack number |
Use function 2 to configure where the reply must be send.
Request:
Offset in decoded data | Data |
01 | 2 |
02 | ==0 send results only to this adress ==2 send results to his address and another one other send results to this address and to 9 random hosts |
03-06 | Hacker address |
Request:
Offset in decoded data | Data |
01 | 3 |
02- | command stripped |
Reply:
Offset in decoded data | Data |
01 | 3 (first packet) 5 (next packets) |
02-400 | command output |
401 | garbage |
Use function 2 to configure where the reply must be send.
Request:
Offset in decoded data | Data |
01: | 4 |
02-05: | IP source |
06-07: | UDP source port |
08: | !=0 use following name for IP source |
09: | source name |
DNS server list is hard coded in the-binary, idem for the 10 DNS query.
ICMP packet have the structure of an ICMP echo-request but
because there is an IP offset (packet is fragmented), it's not
the ICMP header.
Request:
Offset in decoded data | Data |
1: | 5 |
2: | ==0 ICMP !=0 UDP |
3: | UDP source port |
4-7: | IP source |
8-11: | IP destination |
12: | !=0 use following name for IP destination |
13: | destination name |
Request:
Offset in decoded data | Data |
1: | 6 |
To connect, telnet on port 23281 and enter the password "SeNiF".
Request:
Offset in decoded data | Data |
1: | 7 |
2-: | command string |
Request:
Offset in decoded data | Data |
1: | 8 |
Request:
Offset in decoded data | Data |
1: | 9 |
2-5: | IP source |
6: | foo |
7-8: | UDP source port |
9: | !=0 use following name for IP source |
10-: | source name |
Function 4 is equivalent to function 9 with foo=0.
Request:
Offset in decoded data | Data |
1: | 10 |
2-5: | IP source |
6-7: | TCP destination port |
8: | ==0 Use IP source !=0 Random IP source |
9-12 | IP destination |
13 | ==0 Use IP destination !=0 Use following name for IP destination |
14-: | Destination name |
Request:
Offset in decoded data | Data |
1: | 11 |
2-5: | IP source |
6-7: | TCP destination port |
08: | ==0 Use IP source !=0 Random IP source |
09-12: | IP destination |
13: | foo |
14: | ==0 Use IP destination !=0 Use following name for IP destination |
15-: | Destination name |
Function 10 is equivalent to function 11 with foo=0.
Offset in decoded data | Data |
1: | 12 |
2-5: | IP destination |
6-9: | IP source |
10: | foo |
11-12: | UDP source port |
13: | ==0 Use IP sourcei !=0 Use following name for IP source |
14-: | Source name |
You can find here a C source using libpcap to analyse network traffic between the hacker and this program. To send command to the-binary, you can use this.
This network traffic can be detected because it uses an unusual IP protocol (0x11 Network Voice Protocol). Usual traffic are TCP,UDP and ICMP and sometimes IGMP. Analysis of firewall log can be usefull to detect this network traffic if it's forbidden traffic. Statistics analyse (RRDTool, Netflow, see DDoS detection from Protecting your IP Network Infrastructure) can be usefull to detect the DoS or this traffic.
The binary uses static library, information is stripped and there is no usage or information display.
I's difficult to debug a program using fork. I have patched the binary to remove some call to fork (Replace by a xor %eax,%eax and some nops), it becomes easy to put breakpoint with gdb and analyze the file.
Q by Mixter Trinoo http://staff.washington.edu/dittrich/misc/trinoo.analysis TFN Tribe Flood Network http://staff.washington.edu/dittrich/misc/tfn.analysis
The tool the-binary looks like a patchwork of different functions (copy/paste...). DNS resolution can be done in the client, there is no reason to do them in the server. Some parameters are without effect (see foo variable). The author seems to have limited programming skills.
I didn't find the meaning to the password SeNiF
Modern DDoS tool supports parallel attacks. The telnet backdoor can be improved: it can be interesting to be able to choose the TCP port, to encrypt the traffic. Data can be encrypted with strong cryptography (RC4,twofish...). Reverse shell function is missing, a remote update/file transfert function can be added too.