Advisory: the-binary back door and DOS tool


sean.burford@adelaide.edu.au
http://XXX/advisories/SBSA-2002-001.1.html

SBSA-2002-001.1
Released: 29/May/2002
Revised: -

Systems affected:
Systems running Linux or Linux binary emulation.
Possibly other Unix systems.

1. Key aspects

honeyp.edu have discovered a new backdoor and DDOS tool in the wild. Once installed by an cracker, it provides access to run shell commands as root remotely, and the ability to launch various kinds of Denial of Service attack. We have named it the-binary after the name of the file installed by the cracker. The machine that the-binary was found on was initially compromised through an unrelated security hole.

2. How it works

The-binary was statically linked and compiled for use on machines running Linux on i386 compatible processors. It uses starndard C library functions so could be ported to other Unices supporting raw sockets with little difficulty.

When run, the-binary checks that it is running as root, then changes its process name to '[mingetty]', closes all open file descriptors, forks into the background and waits for commands from the network. Examining /proc/<PID>/status still reveals the original process name. As top uses the process name found in /proc, top also still shows the original process name. Examining the processes file descriptor list in /proc/<PID>/fd/* or with lsof (http://freshmeat.net/projects/lsof/) shows one open file descriptor, listening for network connections.

The-binary accepts command packets on IP protocol 11 (this protocol number is not widely used, unlike TCP or UDP). Available commands are:

The command parameters are encoded to make interception and interpretation difficult. Commands can be accepted from spoofed source addresses, and DNS lookups can be performed by either the client or by the-binary. By deferring DNS lookups to the-binary on the compromised system, the cracker can avoid having his actual IP address stored in DNS logs, providing another level of anonymity.

As can be seen in the command list, the-binary provides facilities for executing commands as root on the compromised host, and for launching DDOS attacks.

The program that was found on the honeyp.edu machine was compiled for use on machines running the Linux operating system, but it could be compiled for use on different versions of Unix with little difficulty. Similar programs exist for machines running the Windows family of operating systems.

3. The threats it poses

The back door functionality of the-binary gives full access to modify user accounts, modify files and perform any other task available to the root user. This access can be used to install other software to collect network passwords or compromise other machines on the network. The shell is configured to prevent updating of the history file, which normally contains a list of commands executed by a user.

The Denial of Service capabilities this and programs like it pose a threat to all systems connected to the Internet. These servers can be coordinated to flood any system on the Internet with traffic, in an attempt to force it offline.
These traffic floods often affect many other systems that share the same path to the Internet as the target system, causing them traffic problems as well.

The SYN and fragmented packet floods may cause undesired affects on some firewalls, filling up their memory with packet fragments if they reconstruct packets, or their connection tables with half open connections if they are stateful.

Further information on Denial of Service attacks is available at:
http://www.cert.org/tech_tips/denial_of_service.html
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2000.02 (Australia only)

The ability to send responses to a list of machines, coupled with the ability to accept commands sent to from a spoofed source address, means that communications to and from the-binary can be performed in a way that makes it difficult to trace them back to the cracker. As the-binary accepts commands sent to the broadcast address, can execute commands without sending replies and can spoof the source address of all flood packets the compromised machine does not have to be identified in any IP network packets. These facilities can be used by a skilled cracker to hide his identity, and that of the compromised machine, from network sniffers.

4. How to detect and defend against it

The best defence is to prevent your systems from being compromised and having these programs install. You can do this by maintaining your systems with the latest software patches, and to turning off unnecessary network services. There are guidelines for securing your system available at the following web sites:
http://www.cert.org/security-improvement/#general
http://www.auscert.org.au/Information/Auscert_info/papers.html (Australia only)

The-binary can be detected on the network by scanning for machines listening on IP protocol 11 with nmap (http://www.insecure.org/nmap/), or other network scanners capable of scanning for IP protocols.

Another way of detecting that the-binary is running on a system is to compare the output of the 'ps' command with the output of 'top'. ps shows the-binary as having the process name '[mingetty]', a program commonly found running on Unix systems, while top shows the original process name for the same process ID. Top, ps and other programs on the system may be modified by the cracker to hide traces of the-binary. A good way to check if these programs have been modified is to run chkrootkit (http://www.chkrootkit.org/).

IP Protocol 11 is not widely used, so blocking it at your firewall should have no negative effect unless it is more widely used in the future. The protocol number used by the-binary can be reconfigured before compiling the-binary, so blocking protocol 11 will not guarantee that you block control traffic to the-binary.

Configuring your border routers to block spoofed packets at ingress and egress will help prevent many packet spoofing attacks, and make DOS floods originating from your network easier to trace back and stop. More information on configuring routers to block spoofed packets is available at the following URLs:
General: http://www.sans.org/y2k/egress.htm
General: http://rr.sans.org/firewall/perimeter_filter.php
Cisco: http://www.cisco.com/warp/public/707/newsflash.html