+----------+ +----------+ | attacker | | attacker | +----------+ +----------+ | | . . . --+------+---------------+------+----------------+-- . . . | | | | | | +-----------+ +-----------+ +-----------+ | handler | | handler | | handler | +-----------+ +-----------+ +-----------+ | | | | | | . . . ---+------+-----+------------+---+--------+------------+-+-- . . . | | | | | | | | | | +-------+ +-------+ +-------+ +-------+ +-------+ | agent | | agent | | agent | | agent | | agent | +-------+ +-------+ +-------+ +-------+ +-------+Remote systems are compromised, and an agent binary is downloaded and executed. The agent becomes a daemon and waits to be commanded. When ready to utilise the agents, the attacker will use a handler program to instruct the agent(s) on the action to be performed. This allows the attacker to launch coordinated attacks upon a victim from multiple sites (the compromised hosts) on the Internet.
The agent can perform 3 types of DOS attack, plus provides "backdoor" shell access on demand. As two of the DOS attacks are quite old, and there hasn't been much reported abuse by the third method of attack, we can assume that the agent is mainly used for its backdoor feature.
Communication between handler and agent is connectionless and unreliable. IP datagrams with a protocol field of 11 are used. Payload is encrypted.
There are 12 possible commands which the agent responds to.
+-------------+-----+-----+---------------------------+ | IP Header | dir | res | Encoded data | +-------------+-----+-----+---------------------------+ IP Header - a standard IP header with protocol 11 dir - a direction byte: 2 for handler -> agent, 3 for agent -> handler res - reserved byte, unused data - encoded data. Total length of the IP packet is always greater than 200.The encoding process used is quite simple. Treat the data to encode as an array of unsigned chars. For each element of the array, add the current data plus 23 to an accumulator. The value of the accumulator modulo 256 is the encoded data for that element of the array.
Here are simple C versions of the encoding and decoding methods.
void encode(unsigned char *buf, int len) { int i; buf[0] += 23; for (i = 1; i < len; i++) buf[i] += (buf[i - 1] + 23); } void decode(unsigned char *buf, int len) { int i; for (i = len - 1; i >= 1; i--) buf[i] -= (buf[i - 1] + 23); buf[0] -= 23; }Here is an example illustrating the encoding of the data [25, 87, 200]
src dst 25 -> 48 == ( 0 + 25 + 23) % 256 87 -> 158 == ( 48 + 87 + 23) % 256 200 -> 125 == (158 + 200 + 23) % 256Once the encoded data is decoded, it can be processed. There are 15 different formats this decoded data can take. The formats consist of combinations of command flags, IP addresses and port numbers. For example, the format of a command to execute a shell command is:
+-----+------+----------------------------------+----------------+ | res | 0x07 | command string (null terminated) | random padding | +-----+------+----------------------------------+----------------+ where: res is an unused byte (reserved) 0x07 is the command byte to execute a shell command string is a null terminated string e.g. "rm -rf /" random is random junk to pad the packetFull details of the different formats can be found in Appendix A.
A full decoder is included as decoder. It is a perl script that requires the tcpdump executable to be in the current path. Output of this script on the supplied snort.log is given at the end of this document in Appendix B.
Detecting tunelled data in uncommon protocols is relatively easy. Setting a firewall to log / drop packets using an unused protocol (e.g anything not ICMP, TCP, or UDP) is one way to identify network traffic tunneled in an unused protocol.
These two methods protect the binary against analysis, by reducing the chance of it being detected. If the program is not detected, then it is not going to be analysed.
TFN is made up of client and daemon programs, which implement a distributed network denial of service tool capable of waging ICMP flood, SYN flood, UDP flood, and Smurf style attacks, as well as providing an "on demand" root shell bound to a TCP port. ... Communication from the TFN client to daemons is accomplished via ICMP_ECHOREPLY packets. There is no TCP or UDP based communication between the client and daemons at all.TFN is similar (though vastly more sophisticated), to this tool. Similarities include:
Notes on PDU format.
+------+------+------+------+-----+ | 0x00 | 0x01 | 0x07 | 0x01 | act | +------+------+------+------+-----+ act: is the request id of the action being performedResponse to a status query when agent is not performing any slow action.
+------+------+------+------+ | 0x00 | 0x01 | 0x07 | 0x00 | +------+------+------+------+First packet containing the output from an executed shell command.
+------+------+------------------------+ | res | 0x03 | null terminated string | +------+------+------------------------+ string: a null terminated string containing output (stdout + stderr) from the executed csh commandContinuing packets containing the output from an executed shell command.
+------+------+------------------------+ | res | 0x04 | null terminated string | +------+------+------------------------+ string: a null terminated string containing output (stdout + stderr) from the executed csh command.
+------+------+ | res | 0x01 | +------+------+Initialisation. Sets the IP address of the handler.
+------+------+------+----------------+ | res | 0x02 | 0x00 | 4 byte IP addr | +------+------+------+----------------+ addr: 32 bit IP address (of the handler).Initialisation. Sets the IP addresses of the handler. Each packet to be sent to a handler will be sent to these 10 IP addresses. This is presumably increase the difficulty of finding the true IP address of the handler. (Actually, due to a programming bug, only 9 of these IP addresses are used).
+------+------+------+------------------------+ | res | 0x02 | 0x02 | 4 byte IP addr * 10 | +------+------+------+------------------------+ addr: 10 32 bit IP addressInitialisation. Sets the IP address of the handler. 9 other random IP addresses will be generated, and each packet to be sent to a handler will be sent to these 10 IP addresses.
+------+------+------+----------------+ | res | 0x02 | 0x?? | 4 byte IP addr | +------+------+------+----------------+ addr: 32 bit IP addressExecute the given csh command, returning output to the handler.
+------+------+------------------------+ | res | 0x03 | null terminated string | +------+------+------------------------+ string: a null terminated string containing the command to execute.Perform a dns flood on the given victim.
+------+------+----------------+------+------+----------+ | res | 0x04 | victim IP addr | port | flag | hostname | +------+------+----------------+------+------+----------+ victim: 32 bit IP address of victim to flood port: 16 bit source port to spoof in DNS query flag: if 0, then use IP address for victim, otherwise use resolved hostname hostname: null terminated hostname of victim (only used if flag is non zero) Notes on timing: There is a pause of 300 microseconds between sending each packet. If flag is non zero, then hostname is resolved once before sending any packets. If the hostname resolution fails, then there is a pause of 10 minutes before the name resolution is attempted again.Perform a jolt2 attack on the given victim.
+------+------+-----+-----+----------------+-------------+------+----------+ | res | 0x05 | udp | port| victim IP addr | src IP addr | flag | hostname | +------+------+-----+-----+----------------+-------------+------+----------+ udp: if 0 use icmp fragmented packets, otherwise use udp port: 8 bit source port to spoof in udp attack victim: 32 bit IP address of victim to flood src IP: 32 bit IP address of src IP to spoof flag: if 0, then use IP address for victim, otherwise use resolved hostname hostname: null terminated hostname of victim (only used if flag is non zero) Notes on timing: Packets are sent in twos, with a pause of 20 microseconds between each pair. If flag is non zero, then hostname is resolved once before sending any packets. If the hostname resolution fails, then there is a pause of 10 minutes before the name resolution is attempted again.Open a backdoor (shell bound to TCP port). Default port is 23281 and default password is "SeNiF".
+------+------+ | res | 0x06 | +------+------+Execute the given csh command. Output is not sent to the handler.
+------+------+------------------------+ | res | 0x07 | null terminated string | +------+------+------------------------+ string: a null terminated string containing the command to execute.Terminate any currently executing slow action.
+------+------+ | res | 0x08 | +------+------+Perform a dns flood on the given victim.
+------+------+----------------+-----+------+------+----------+ | res | 0x09 | victim IP addr | arg | port | flag | hostname | +------+------+----------------+-----+------+------+----------+ victim: 32 bit IP address of victim to flood arg: used for timing. port: 16 bit source port to spoof in DNS query flag: if 0, then use IP address for victim, otherwise use resolved hostname hostname: null terminated hostname of victim (only used if flag is non zero) Notes on timing: Packets are sent in groups of arg. There is a pause of 300 microseconds between sending each group. If flag is non zero, then hostname is resolved once before sending any packets. If the hostname resolution fails, then there is a pause of 10 minutes before the name resolution is attempted again. After sending (40000 * arg) packets, hostname resolution starts again.Perform a syn flood attack on the given victim.
+------+------+----------------+------+-----+-------------+------+----------+ | res | 0x0a | victim IP addr | port | src | src IP addr | flag | hostname | +------+------+----------------+------+-----+-------------+------+----------+ victim: 32 bit IP address of victim to flood port: 16 bit source port to send syn packets to src: if 0 the spoofed source address is randomly generated for each packet src IP: if src is non 0, then this IP address is used for the source IP flag: if 0, then use IP address for victim, otherwise use resolved hostname hostname: null terminated hostname of victim (only used if flag is non zero) Notes on timing: There is a pause of 300 microseconds between sending each packet. If flag is non zero, then hostname is resolved once before sending any packets. If the hostname resolution fails, then there is a pause of 10 minutes before the name resolution is attempted again.Perform a syn flood attack on the given victim.
+-----+-----+----------------+------+-----+-------------+-----+-----+----------+ | res |0x0b | victim IP addr | port | src | src IP addr | arg |flag | hostname | +-----+-----+----------------+------+-----+-------------+-----+-----+----------+ victim: 32 bit IP address of victim to flood port: 16 bit source port to send syn packets to src: if 0 the spoofed source address is randomly generated for each packet src IP: if src is non 0, then this IP address is used for the source IP arg: used for timing. flag: if 0, then use IP address for victim, otherwise use resolved hostname hostname: null terminated hostname of victim (only used if flag is non zero) Notes on timing: Packets are sent in groups of arg. There is a pause of 300 microseconds between sending each group. If flag is non zero, then hostname is resolved once before sending any packets. If the hostname resolution fails, then there is a pause of 10 minutes before the name resolution is attempted again. After sending (40000 * arg) packets, hostname resolution starts again.Perform a dns flood on the given victim, specifying the name server to perform the flood.
+-----+------+------------+----------------+-----+------+------+----------+ | res | 0x0c | NS IP addr | victim IP addr | arg | port | flag | hostname | +-----+------+------------+----------------+-----+------+------+----------+ NS IP: 32 bit IP address of name server to target victim: 32 bit IP address of victim to flood arg: used for timing. port: 16 bit source port to spoof in DNS query flag: if 0, then use IP address for name server, otherwise use resolved hostname hostname: null terminated hostname of name server (only used if flag is non zero) Notes on timing: Packets are sent in groups of arg. There is a pause of 300 microseconds between sending each group. If flag is non zero, then hostname is resolved once before sending any packets. If the hostname resolution fails, then there is a pause of 10 minutes before the name resolution is attempted again. After sending (40000 * arg) packets, hostname resolution starts again.
$ perl decoder snort.log 172.16.196.132 -> 172.16.183.2 (handler -> agent) Initialise agent. All replies are sent to handler at 203.173.173.35 (plus 9 other randomly generated hosts) ---------------------------------------------------------------- 172.16.196.132 -> 172.16.183.2 (handler -> agent) Initialise agent. All replies are sent to handler at 203.173.173.35 (plus 9 other randomly generated hosts) ---------------------------------------------------------------- 172.16.196.132 -> 172.16.183.2 (handler -> agent) Initialise agent. All replies are sent to handler at 203.173.173.35 (plus 9 other randomly generated hosts) ---------------------------------------------------------------- 172.16.196.132 -> 172.16.183.2 (handler -> agent) Execute the given command and send output to handler: rpcinfo -p 127.0.0.1 ---------------------------------------------------------------- 172.16.183.2 -> 109.197.191.34 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 126.85.250.183 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 233.96.38.22 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 210.13.117.98 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 219.93.216.82 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 203.173.144.35 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 41.230.157.197 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 20.17.169.129 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 214.104.164.84 (agent -> handler) output of command executed by agent: program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 1024 nlockmgr 100021 3 udp 1024 nlockmgr 100021 1 tcp 1024 nlockmgr 100021 3 tcp 1024 nlockmgr 100024 1 udp 924 status 100024 1 tcp 926 status ---------------------------------------------------------------- 172.16.183.2 -> 109.197.191.34 (agent -> handler) end of output of command executed by agent ---------------------------------------------------------------- 172.16.183.2 -> 126.85.250.183 (agent -> handler) end of output of command executed by agent ---------------------------------------------------------------- 172.16.183.2 -> 233.96.38.22 (agent -> handler) end of output of command executed by agent ---------------------------------------------------------------- 172.16.183.2 -> 210.13.117.98 (agent -> handler) end of output of command executed by agent ---------------------------------------------------------------- 172.16.183.2 -> 219.93.216.82 (agent -> handler) end of output of command executed by agent ---------------------------------------------------------------- 172.16.183.2 -> 203.173.144.35 (agent -> handler) end of output of command executed by agent ---------------------------------------------------------------- 172.16.183.2 -> 41.230.157.197 (agent -> handler) end of output of command executed by agent ---------------------------------------------------------------- 172.16.183.2 -> 20.17.169.129 (agent -> handler) end of output of command executed by agent ---------------------------------------------------------------- 172.16.183.2 -> 214.104.164.84 (agent -> handler) end of output of command executed by agent ----------------------------------------------------------------