Identify and explain the purpose of the binary

"the-binary" is another Distributed Denial of Service (DDoS) attack tool. Additionaly the attacker has full control over the host running the-binary. That said it can be used to as one of the agents in a DDoS attack and/or can act as a backdoor. It has to be installed on a host after a compromise: it does not provide any means to gain root privileges and refuses to run if not run with EUID == 0.

Identify and explain the different features of the binary. What are its capabilities?

the-binary can be controlled remotely from network. It uses an otherwise seldom used IP protocol number 0x0b (reserved by IANA for NVP-II Network Voice Protocol). Responses (by the status and execute commands) are also sent using this channel of communication. Every packet (both commands and responses) are crypted using a simple protocol (described in detail below).

The attacker can register up to 10 controllers (though in 90% of cases one address will be registered twice and one will be silently ignored) or register just one address. If only one address is registered the-binary can send its responses either only to this address (useful for testing purposes) or to the registered and 9 other IPs chosen randomly, thus disguising the true IP of the attacker.

The attacker has 3 ways of executing commands on the host running the-binary:

  1. execute command and return output to the attacker
  2. execute command silently (the output is ignored by the-binary)
  3. spawn a shell
Shell is spawned on port 0x05a1f and is password protected. By default it is "SeNiF" but it's trivial to change it with a hex editor.

the-binary is capable of performing 4 types of DDoS attacks:

  1. Fragments flood
  2. TCP SYN flood
  3. DNS flood
  4. DNS reflection
All of the attacks can be performed against a given IP address or a given hostname. If hostname is provided the-binary tries to resolve it in an indefinete loop, making 600 seconds sleeps between unsuccessful attempts. The attacker can also control how often the hostname will be resolved during the attack, making it possible to flood more than one IP address in case of round-robin DNS.

All attacks run in an endless loop until terminated by the attacker (speacial command is provided in the-binary which kills the process that performs DoS). Additionaly a status command is available which informs the attacker if the-binary is currently running any attack and if so, what kind of attack it is.

Ad 1 The-binary sends a constant stream of IP packets which appear as a part of bigger IP datagram. However the IP ID field is constant, so it shouldn't pose problems for nowadays routers and hosts. The protocol field can be set to UDP or ICMP. Source IP address of the packets sent can be set by the attacker to any value.

Ad 2 The victim is flooded with SYN packets destined to a given port. Attacker can provide one IP address which will be set as a source address in all of the packets or a flag can be set to provide a random address for each packet sent. Each packet will also have random IP TTL, IP ID, TCP Window, TCP ISN, and TCP source port.

Ad 3 A given DNS server is flooded with DNS queries. There are 9 queries hard-coded within the-binary. They're used in round-robin fashion. All of the queries are about SOA of com. net. de. edu. org. usc.edu. es. gr. ie. Queries about 2 letter suffixes are flawed: the length is set to 3, not to 2. The spoofed source address can be either chosen randomly or set by the attacker. If it is set by the attacker 2 hosts can be DoSed: the DNS server itself and the host which will receive the responses (or error notifications in case of the buggy queries).

Ad 4 the-binary has a hardcoded list of 11418 DNS servers which are used in this attack. The same 9 queries as in DNS flood are used by this time in different way: queries are sent to all of the DNS servers on the list with IP source address set to the victim's IP. Then the victim is DoSed by the responses (or error notifications as noted above) from all of the DNS servers which are up at the time of attack. This attack has a potential of bandwidth amplification of factor 2 (the response is ca. twice the size of the query). However with 4 buggy queries out of 9 (error notification is almost the same size as the query) it reaches only 14/9 ratio.

The binary uses a network data encoding process. Identify the encoding process and develop a decoder for it

The encryption algorithm is simple: the first byte of data is incremented by 0x17 and the other bytes are processed from left to right (from the 2nd byte till the last one), incrementing every byte by the previous byte and adding 0x17 to the result. The encode routine (in fact it's an attempt to write a C code which will compile to code as close to the one found in the-binary as possible):
void encode(uchar *encoded, uchar *data, int len)
{
        int i;

        encoded[0] = zero;
        sprintf(encoded, "%c", data[0]+0x17);
        for (i = 1; i < len; i++)
                encoded[i] = data[i]+encoded[i-1]+0x17;
}
zero is a global variable of type int set to 0. Unfortunately it isn't as closed (compiled with gcc-2.7.2 -O2) as the decode routine, also present in the-binary:
void decode(uchar *decoded, uchar *data, int len)
{
        int i = len-1, j, k;
        uchar tmp[len];
        uchar c;

        decoded[0] = zero;
        while (i >= 0) {
                j = i-1;
                if (i) c = data[i]-data[j]; else c = data[0];
                k = c - 0x17;
                while (k < 0) k += 0x100;
                j = 0;
                while (j < len) { tmp[j] = decoded[j]; j++; } // **
                decoded[0] = k;
                j = 1;
                while (j < len) { decoded[j] = tmp[j-1]; j++; }
                sprintf(decoded, "%c%s", k, tmp);
                i--;
        }
}

Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well

the-binary uses a seldom used IP protocol (0x0b) which can be dropped by properly configured routers (with identification being logs of dropped packets). Also IDS (Intrusion Detection Systems) can notify of any IP packets of unused protocol.

Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered

Frankly havent't spotted any. Besides two consecutive forks (as lcamtuf noted) which could sometimes fool ptrace-based tools and rather messy code (see decode function above).

Identify two tools in the past that have demonstrated similar functionality

It would be TFN or Stacheldracht.

What kind of information can be derived about the person who developed this tool? For example, what is their skill level?

The author seems to have problems with C programming in Unix evironment. Temporary files used where pipes would be more appropriate, bizarre programming constructions (passing IP as 4 ints, converting them to a string and using gethostbyname at the end to get inaddr_t). Errors in DNS queries as well as ignoring SIGCHLD twice suggest that cut-and-paste was used in creation of this tool. Those bugs also prove that it didn't receive much testing. I would imagine the author as a rather unexperienced person who created this tool after reading some block-hats FAQs or tutorialson writing DDoS tools.

What advancements in tools with similar purposes can we expect in the future?

The advancements can go in several directions: