HoneyPot University Security Advisory 2002-001 ============================================== Abstract ======== A new distributed denial of service (DDOS) tool has been discovered after a break in at one of the computers at HoneyPot University. The tool (code named "the-binary" after the name of the original executable), was hand decompiled and analysed by one of our researchers. A DDOS system consists of a handler and an agent (using the handler/agent terminology developed at the CERT Distributed System Intruder Tools workshop held in November 1999 [1]). Only the agent has been discovered, but the functionality provided by the handler was deduced during the analysis. The tool discovered was compiled for a linux system, but it is to be assumed that versions for different operating systems exist. Details ======= The agent allows a remote attacker to perform denial of services attacks upon a victim. With multiple compromised hosts running agents, an attacker could coordinate a DOS attack simultaneously from multiple sources, increasing the impact of the attack. The agent requires root access to execute, so a running agent is an indication of a root compromise. There are three types of DOS attacks provided by the agent. 1. Synflood 2. Jolt2 attack [2] 3. Custom DNS flood The agent additionally provides a backdoor allowing shell access, and provides the ability to remotely executed commands on the compromised host. Communication between the agent and handler is unauthenticated and connectionless, using IP datagrams with the protocol field set to 11. This is important as many firewalls and IDS systems only consider ICMP, TCP and UDP (protocols 1, 6, 17). Hence packets using this protocol are generally ignored and allowed to pass through the firewall. Protocol 11 is reserved for the Network Voice Protocol (NVP-II, rfc741 for the curious). NVP-II is an old protocol, generally not considered to be in use today. Agent Features ============== The synflood attack is a typical synflood upon a specific port (many connections to a particular port). Victim IP and port are specified by the attacker. Forged source address can either be specified, or randomly generated. Other TCP/IP fields are randomly generated for each packet sent. The flooding is continuous until stopped by the attacker. The Jolt 2 attack is an attack upon Windows 9x, Windows NT4.0 and Windows 2000 machines which exploits a bug to cause 100% CPU utilisation. It is caused by sending invalid fragmented packets (either ICMP or UDP) to the victim host. (Microsoft has released a patch for this bug). The DNS flood is a custom attack which sends spoofed SOA requests to many thousands of DNS servers, with a spoofed source address of the victim. The idea is for the victim to be flooded with unasked for DNS responses. Specifically, the spoofed queries are zone of authority queries for the domains com, net, edu, org and usc.edu. (Queries are also sent for the domains de, es, gr and it, but due to a coding error these queries are malformed). The agent also allows remote execution of commands (providing similar functionality to rsh(1) ), and can provide a backdoor for shell access on demand. The default port for this backdoor is 23281, the default password is "SeNiF". Agent / Handler Communication ============================= The handlers and agents use specifically constructed packets sent using protocol 11 to communicate. Specifically, the IP packets used by this tool have the following form: +-------------+-----+-----+---------------------------+ | IP Header | dir | res | Encrypted data | +-------------+-----+-----+---------------------------+ IP Header - a standard IP header with protocol field set to 11 dir - a direction byte: 2 for handler -> agent, 3 for agent -> handler res - reserved byte, unused data - encrypted data. Decryption algorithm is stated in analysis Total length of the IP packet is always greater than 200. Commands are sent from handler to agent to control the agent. Sample commands are: * synflood this victim and port * execute this command on the compromised host * open a backdoor shell on the compromised host Communication from agent to handler is only at the result of a status query (what is the agent currently doing), or contains the output of an executed command. When sending a packet from agent to handler, there are three possibilities. * a single packet is sent from agent to handler. The destination may or may not be a decoy. * 10 packets are sent to different destinations. One of these destinations is the handler, the others are decoys. * 10 packets are sent to different destinations. None of these destinations are the handler, they are all decoys. This uncertainty increases the difficulty in tracing the handler, and hence the attacker. Detection ========= Any network traffic using an unusual protocol should be suspect. This tool uses protocol 11, but could easily be recompiled to use another protocol. As protocol 11 is not currently used, any network traffic using this protocol should be assumed to be communication between handlers and agents of this tool. The signature for detecting agent / handler communication was described in the previous section. Note that the source address of a packet from handler -> agent should not be assumed to be the actual address of the handler. The source address in the IP header is most likely to be spoofed. Similarly, data from agent -> handler is often faked to increase the difficulty of tracing the attacker's whereabouts. To hide from casual detection, the agent changes its process name to [mingetty]. This is the standard getty for RedHat, and Slackware versions pre 7.0. To detect a running agent on a system, netstat can be used to determine if any processes are using protocol 11. The following command and response shows a running agent process. # netstat -pan | grep raw | grep :11 raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty] If found, all instances of mingetty should be killed (to ensure that children are caught as well). This will kill valid mingetty processes as well, but they will be respawned by the init process. # ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9 The system should immediately be taken off the network and analysed to determine how the attacker gained root access. Defense ======= To prevent being used as an attack platform for this tool, means as usual, securing all hosts to prevent a root compromise. To neutralise this tool even in the event of a root compromise, border routers should be configured to drop datagrams with a protocol field of 11. This prevents communication between agents and handlers. To prevent being attacked by this tool (or any denial of service attack) is a difficult task. As a preventative action, the measures discussed in Mixter's first-aid paper [3] should be undertaken. Impact ====== The impact of this tool is not as severe as other DDOS tools such as trinoo [4] and TFN. This is due to the fact that the control channel between agent and handler can easily be stopped with simple updates to the firewall configuration. The Synflood and Jolt 2 attacks are quite old (Synflood - 1996, Jolt 2 - 2000), and solutions for them are known. This tool is more likely to be used as a remote backdoor for shell access, rather than as a DOS platform. This conclusion seems to be supported by that fact that this is the first reported case of using this tool. Related Links ============= [1] Report on the November 1999 CERT Distributed System Intruder Tools workshop http://www.cert.org/reports/dsit_workshop.pdf [2] Jolt2 - Remote Denial of Service attack against Windows 2000 and NT4 http://razor.bindview.com/publish/advisories/adv_Jolt2.html [3] 10 Proposed 'first-aid' security measures against Distributed Denial Of Service attacks http://packetstorm.dnsi.info/distributed/firstaid.txt [4] Trinoo Analysis http://staff.washington.edu/dittrich/misc/trinoo.analysis