HoneyPot University Security Advisory 2002-001
              ==============================================

Abstract
========

A new distributed denial of service (DDOS) tool has been discovered after a
break in at one of the computers at HoneyPot University.  The tool (code
named "the-binary" after the name of the original executable), was hand
decompiled and analysed by one of our researchers.

A DDOS system consists of a handler and an agent (using the handler/agent
terminology developed at the CERT Distributed System Intruder Tools
workshop held in November 1999 [1]).  Only the agent has been discovered,
but the functionality provided by the handler was deduced during the
analysis.  The tool discovered was compiled for a linux system, but it is
to be assumed that versions for different operating systems exist.

Details
=======

The agent allows a remote attacker to perform denial of services attacks
upon a victim.  With multiple compromised hosts running agents, an attacker
could coordinate a DOS attack simultaneously from multiple sources,
increasing the impact of the attack.  The agent requires root access to
execute, so a running agent is an indication of a root compromise.

There are three types of DOS attacks provided by the agent.
1. Synflood
2. Jolt2 attack [2]
3. Custom DNS flood

The agent additionally provides a backdoor allowing shell access, and
provides the ability to remotely executed commands on the compromised host.

Communication between the agent and handler is unauthenticated and
connectionless, using IP datagrams with the protocol field set to 11.  This
is important as many firewalls and IDS systems only consider ICMP, TCP and
UDP (protocols 1, 6, 17).  Hence packets using this protocol are generally
ignored and allowed to pass through the firewall.  Protocol 11 is reserved
for the Network Voice Protocol (NVP-II, rfc741 for the curious).  NVP-II is
an old protocol, generally not considered to be in use today.

Agent Features
==============

The synflood attack is a typical synflood upon a specific port (many
connections to a particular port).  Victim IP and port are specified by
the attacker.  Forged source address can either be specified, or randomly
generated.  Other TCP/IP fields are randomly generated for each packet
sent.  The flooding is continuous until stopped by the attacker.

The Jolt 2 attack is an attack upon Windows 9x, Windows NT4.0 and Windows
2000 machines which exploits a bug to cause 100% CPU utilisation.  It is
caused by sending invalid fragmented packets (either ICMP or UDP) to the
victim host.  (Microsoft has released a patch for this bug).

The DNS flood is a custom attack which sends spoofed SOA requests to many
thousands of DNS servers, with a spoofed source address of the victim.
The idea is for the victim to be flooded with unasked for DNS responses.
Specifically, the spoofed queries are zone of authority queries for the
domains com, net, edu, org and usc.edu.  (Queries are also sent for the
domains de, es, gr and it, but due to a coding error these queries are
malformed).

The agent also allows remote execution of commands (providing similar
functionality to rsh(1) ), and can provide a backdoor for shell access on
demand.  The default port for this backdoor is 23281, the default password
is "SeNiF".

Agent / Handler Communication
=============================

The handlers and agents use specifically constructed packets sent using
protocol 11 to communicate.  Specifically, the IP packets used by this tool
have the following form:

   +-------------+-----+-----+---------------------------+
   | IP Header   | dir | res |    Encrypted data         |
   +-------------+-----+-----+---------------------------+

IP Header - a standard IP header with protocol field set to 11
dir       - a direction byte: 2 for handler -> agent, 3 for agent -> handler
res       - reserved byte, unused
data      - encrypted data.   Decryption algorithm is stated in analysis
Total length of the IP packet is always greater than 200.

Commands are sent from handler to agent to control the agent.  Sample
commands are:
 * synflood this victim and port
 * execute this command on the compromised host
 * open a backdoor shell on the compromised host

Communication from agent to handler is only at the result of a status query
(what is the agent currently doing), or contains the output of an executed
command.

When sending a packet from agent to handler, there are three
possibilities.
* a single packet is sent from agent to handler.  The destination may or
  may not be a decoy.
* 10 packets are sent to different destinations.  One of these
  destinations is the handler, the others are decoys.
* 10 packets are sent to different destinations.  None of these
  destinations are the handler, they are all decoys.

This uncertainty increases the difficulty in tracing the handler, and
hence the attacker.

Detection
=========

Any network traffic using an unusual protocol should be suspect.  This tool
uses protocol 11, but could easily be recompiled to use another protocol.
As protocol 11 is not currently used, any network traffic using this
protocol should be assumed to be communication between handlers and agents
of this tool.  The signature for detecting agent / handler communication
was described in the previous section.

Note that the source address of a packet from handler -> agent should not
be assumed to be the actual address of the handler.  The source address in
the IP header is most likely to be spoofed.  Similarly, data from agent ->
handler is often faked to increase the difficulty of tracing the attacker's
whereabouts.

To hide from casual detection, the agent changes its process name to
[mingetty].
This is the standard getty for RedHat, and Slackware versions pre 7.0.

To detect a running agent on a system, netstat can be used to determine
if any processes are using protocol 11.  The following command and
response shows a running agent process.

# netstat -pan | grep raw | grep :11
raw    0      0 0.0.0.0:11       0.0.0.0:*      7     5226/[mingetty]

If found, all instances of mingetty should be killed (to ensure that
children are caught as well).  This will kill valid mingetty processes
as well, but they will be respawned by the init process.

# ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9

The system should immediately be taken off the network and analysed to
determine how the attacker gained root access.

Defense
=======

To prevent being used as an attack platform for this tool, means as usual,
securing all hosts to prevent a root compromise.  To neutralise this tool
even in the event of a root compromise, border routers should be configured
to drop datagrams with a protocol field of 11.  This prevents communication
between agents and handlers.

To prevent being attacked by this tool (or any denial of service attack) is
a difficult task.  As a preventative action, the measures discussed in
Mixter's first-aid paper [3] should be undertaken.

Impact
======

The impact of this tool is not as severe as other DDOS tools such as trinoo
[4] and TFN.  This is due to the fact that the control channel between
agent and handler can easily be stopped with simple updates to the firewall
configuration.  The Synflood and Jolt 2 attacks are quite old (Synflood -
1996, Jolt 2 - 2000), and solutions for them are known.

This tool is more likely to be used as a remote backdoor for shell access,
rather than as a DOS platform.  This conclusion seems to be supported by
that fact that this is the first reported case of using this tool.


Related Links
=============


[1] Report on the November 1999 CERT Distributed System Intruder Tools
    workshop

http://www.cert.org/reports/dsit_workshop.pdf


[2] Jolt2 - Remote Denial of Service attack against Windows 2000 and NT4

http://razor.bindview.com/publish/advisories/adv_Jolt2.html


[3] 10 Proposed 'first-aid' security measures against Distributed Denial
    Of Service attacks

http://packetstorm.dnsi.info/distributed/firstaid.txt


[4] Trinoo Analysis

http://staff.washington.edu/dittrich/misc/trinoo.analysis