Answers for the Honeynet Reverse Challenge, May 2002


May 27, 2002

1. Identify and explain the purpose of the binary?

This binary is an example of a Distributed Denial of Service (DDoS) agent.  The purpose of the tool is to act as a zombie listener, lying dormant until commanded to carry out one of the actions detailed below.

2. Identify and explain the different features of the binary.  What are its capabilities?

Startup

The binary requires root privileges to run.  It will shut itself down if it discovers that it is not root.  Upon successful startup, the binary changes its value of argv[0] to "[mingetty]", forks and exits.  The forked copy shows up in ps listings as "[mingetty]".  On many linux systems, there are five of these virtual consoles already running, so this bit of camouflage may go unnoticed.  It is worth noting that lsof output continued to list the program as "the-binary".  The binary does not seem to make any modifications to the host system.  Following a successful fork, the new process opens a raw socket (see description of the network encoding process below) and enters a command processing loop.
Twelve commands can be sent to this tool.  Six of the commands perform administrative tasks, and six commands initiate various denial of service attacks.  Each of the functions is detailed below.  It should be noted that the agent performs no authentication on incoming commands, making it possible to take over a running agent, or terminate jobs on a running agent independently of a handler.  It is also possible to use this weakness to make an agent expose itself, by querying agent status on a machine and seeing if a response is generated.

Administrative Functions

Denial of Service Functions

3. The binary uses a network data encoding process.  Identify the encoding process and develop a decoder for it.

All handler<-->agent communication takes place via IP packets with the protocol specified as 11 (NVP-II), though the packets do not conform to the NVP-II protocol.  Including the IP header, packets must have a minimum size of 201 bytes or they are ignored by the tool.  The first data byte of the packet (immediately following the IP header) contains a direction indicator.  Handler to agent traffic uses a direction value of 2, while agent to handler traffic uses a direction of 3.  The agent ignores all commands that have a direction value other than 2.  The command field of the packet commences with the third byte of the packet data.  Command fields are always encoded with a simple encoding process that combines a shift of 23 with a running sum of the command field.  The process is best described with the following function:
void encode(int len, unsigned char *source, unsigned char *dest) {
   int i;
   unsigned char prev = 0;
   for (i = 0; i < len; i++) {
      prev = dest[i] = source[i] + prev + 23;
   }
}
The corresponding decoder function looks like this
void decode(int len, unsigned char *source, unsigned char *dest) {
   int i;
   unsigned char offset = 23, prev = 0;
   for (i = 0; i < len; i++, offset += 23) {
      prev += dest[i] = source[i] - prev - offset;
   }
}
Encoding and decoding could easily be done in place, though the attacker chose not to do so.  It should be noted that the attacker's version of the decoding function is very convoluted, leading one to question their programming skills somewhat.

Once decoded, a command buffer received by the agent contains a command byte at location command[1].  Valid commands are in the range 1-12 and may be followed by command specific parameters starting at command[2].  The 12 commands and their associated parameters are detailed in item 2 above.  See decoder.c for a pcap based program that decodes traffic between handlers and agents.

4. Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.

The most straight forward manner is to use a tcpdump filter of the form 'ip[9] = 11'. This simply detects an IP protocol byte with a value of 11 as used by this tool.  Generically, for tools of this sort that use non typical IP protocols we could use a filter of the form:
ip[0] != 1 && ip[9] != 6 && ip[9] != 17
To catch traffic that is neither icmp, tcp, or udp.  This filter could be extended to allow any other protocols that are expected on a network.

5. Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.

As this was the first binary I have ever taken the time to reverse engineer, I can only comment on the things that slowed me down a bit.

6. Identify two tools in the past that have demonstrated similar functionality.

This tool could be lumped in with the body of DDoS tools that already exist such as trinoo, TFN, stacheldraht, mstream, shaft, etc... It would be a bit of a stretch to claim that this tool is as sophisticated as any of those named.  Perhaps similar to mstream if one had to make an assessment, though I think none of the tools mentioned used a non-standard IP protocol as a means of communication between agent and handler.

Bonus Questions

7. Programmer skill

This program does not contribute a whole lot to the state of the are in DoS tools.  It uses the interesting concept of a novel protocol for agent/handler communications, but other than that is fairly unremarkable and not terribly well programmed.  A few comments on the program follow:

The author performs unnecessary checksumming on the ip headers of his raw sockets, the kernel does this automatically and he could have saved a lot of time.  The programmer perhaps has a poor understanding of ICMP and UDP as evidenced by attack 5 where packets are marked as fragments and in the case of UDP improperly check summed.  This function is very sloppily coded.  What appeared to be a ping flood at first glance, fails to generate any response from the target because of the "fragmented" icmp echo request.

It also seems that he does things without thinking about why, my personal favorite, found in his data transmit routine is

ipHeader->ip_id = htons(random());
I am not sure why he felt compelled to convert a random number to network byte order.  Force of habit perhaps.  If the author had used a socket of the form socket(AF_INET, SOCK_RAW, 11), instead of socket(AF_INET, SOCK_RAW, IPPROTO_RAW) his data transmit routine could have been much shorter beacuse the ip header would have been taken care of for him.

Another favorite.  In many cases the parameters this program revceives from it's handler are ip addresses that are already in network byte order.  In several places, he converts this for his use in approximately the following way:

unsigned char ip[4];  //this already contains a network order ip
char buf[32];
unsigned long targetIp;
sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
targetIp = inet_addr(buf);
Much wasted effort there.

In the program's "exec  with results" command, there is a buffer overlap problem that causes a random prefix of the plain text output of the just executed command to be exposed to network sniffers.  This is somewhat comical given the effort the author has gone through to encode those same results before sending them in an earlier part of the same result packet.  See this discussion and example for more information.

Whether intentional or not, 4 of the 9 canned DNS queries the author uses are malformed.

The program uses a large number of unnecessary buffer copy/move operations.  The coding and decoding algorithms could easily have been performed in place and are quite convoluted.  For every DoS command, the entire input buffer is shifted before passing a pointer to the shifted location to the actual DoS function.  He could easily have passed the pointer to the non-shifted data and saved himself some time.

Because the author has failed to authenticate ant input commands, this tool is very simple to hijack through use of command 2. Also if one of these programs is found running in the wild, use of command 1 can assist incident handlers in backtracking the attack.

8. What advancements in tools with similar purposes can we expect in the future?

This tool could certainly be refined in many ways to bring it up to the level of some of the more sophisticated DoS tools that are available today.  Some ways to improve this tool:
  1. Use true encryption rather than a simple encoding process
  2. Require authentication of input commands
  3. Use of covert channels for egress of information
  4. MAC address spoofing