Summary: the-binary back door and DOS tool found on honeyp.edu machine


sean.burford@adelaide.edu.au
http://XXX/advisories/SBNTSA-2002-001.1.html

SBNTSA-2002-001.1
Released: 29/May/2002
Revised: -

1. Key aspects

A program was recently discovered on a honeyp.edu machine that had been compromised by a cracker. The program is designed to provide:

It has been given the name the-binary after the name of the discovered file.

2. How it works

The client can be used to remotely run programs on the compromised machine. These commands are run with full system privilege.

When commanded to, the-binary can launch several types of Denial of Service attacks from the compromised machine against other machines that are connected to the Internet.

The program that was found on the honeyp.edu machine was compiled for use on machines running the Linux operating system, but it could be compiled for use on different versions of Unix with little difficulty. Similar programs exist for machines running the Windows family of operating systems.

Technical detail of the-binary can be found in the technical advisory at http://XXX/advisories/SBSA-2002-001.1

3. The threats it poses

The back door functionality of the-binary gives full access to modify user accounts, modify files and shut down the machine. This access can be used to install other software to collect network passwords or compromise other machines on the network.

The Denial of Service capabilities this and programs like it pose a threat to all systems connected to the Internet. These machines can be coordinated to flood any system on the Internet with traffic, forcing it offline or crashing it. These traffic floods often affect many other systems that share the same path to the Internet as the target system, taking them offline as well.

Further information on Denial of Service attacks is available at:
http://www.cert.org/tech_tips/denial_of_service.html
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2000.02

4. How to detect and defend against it

The best defence against these programs is to maintain your systems with the latest software patches, and to turn off unnecessary network services. There are guidelines for securing your system available at the AusCERT web site:
http://www.auscert.org.au/Information/Auscert_info/papers.html

Information Technology Services (ITS) will conducted a network scan to detect if other machines within the University have had the-binary installed, and work with the owners of any affected machines to remove the program. This scan does not require any action on your part.

One way of detecting that the-binary is running on a Linux system is to compare the output of the 'ps' command with the output of 'top'. ps shows the-binary as having the process name '[mingetty]', a program commonly found running on Unix systems, while top shows the process name 'the-binary' for the same process. Note that these programs may have been modified on some systems to hide the-binary.
A good way check for these modified programs is to use chkrootkit:
http://www.chkrootkit.org/

If you notice files or processes that have been added to your system without your knowledge, or other suspicious activity, you should contact Information Technology Services (ITS) as soon as possible on telephone extension x12345 or by emailing security@its.honeyp.edu. Do not do anything that could damage evidence on the machine. Even reading the suspicious files can destroy evidence.

If, in the future, you believe that your system is under Denial of Service attack, contact ITS so that we can investigate and arrange for our bandwidth providers to stem the flow of traffic as appropriate.