Identify and explain the purpose of the binary
"the-binary" is another Distributed Denial of Service (DDoS) attack tool.
Additionaly the attacker has full control over the host running the-binary.
That said it can be used to as one of the agents in a DDoS attack and/or
can act as a backdoor. It has to be installed on a host after a compromise: it
does not provide any means to gain root privileges and refuses to run if not
run with EUID == 0.
Identify and explain the different features of the binary. What are its
capabilities?
the-binary can be controlled remotely from network. It uses an otherwise
seldom used IP protocol number 0x0b (reserved by IANA for NVP-II Network Voice
Protocol). Responses (by the status and execute commands) are also sent using
this channel of communication. Every packet (both commands and responses) are
crypted using a simple protocol (described in detail below).
The attacker can register up to 10 controllers (though in 90% of cases one
address will be registered twice and one will be silently ignored) or register
just one address. If only one address is registered the-binary can send its
responses either only to this address (useful for testing purposes) or to the
registered and 9 other IPs chosen randomly, thus disguising the true IP of the
attacker.
The attacker has 3 ways of executing commands on the host running the-binary:
- execute command and return output to the attacker
- execute command silently (the output is ignored by the-binary)
- spawn a shell
Shell is spawned on port 0x05a1f and is password protected. By default it is
"SeNiF" but it's trivial to change it with a hex editor.
the-binary is capable of performing 4 types of DDoS attacks:
- Fragments flood
- TCP SYN flood
- DNS flood
- DNS reflection
All of the attacks can be performed against a given IP address or a given
hostname. If hostname is provided the-binary tries to resolve it in an
indefinete loop, making 600 seconds sleeps between unsuccessful attempts.
The attacker can also control how often the hostname will be resolved during
the attack, making it possible to flood more than one IP address in case of
round-robin DNS.
All attacks run in an endless loop until terminated by the attacker (speacial
command is provided in the-binary which kills the process that performs DoS).
Additionaly a status command is available which informs the attacker if
the-binary is currently running any attack and if so, what kind of attack it is.
Ad 1 The-binary sends a constant stream of IP packets which appear as a part
of bigger IP datagram. However the IP ID field is constant, so it shouldn't
pose problems for nowadays routers and hosts. The protocol field can be set to
UDP or ICMP. Source IP address of the packets sent can be set by the attacker
to any value.
Ad 2 The victim is flooded with SYN packets destined to a given port.
Attacker can provide one IP address which will be set as a source address in
all of the packets or a flag can be set to provide a random address for each
packet sent. Each packet will also have random IP TTL, IP ID, TCP Window, TCP
ISN, and TCP source port.
Ad 3 A given DNS server is flooded with DNS queries. There are 9 queries
hard-coded within the-binary. They're used in round-robin fashion. All of the
queries are about SOA of com. net. de. edu. org. usc.edu. es. gr. ie. Queries
about 2 letter suffixes are flawed: the length is set to 3, not to 2.
The spoofed source address can be either chosen randomly or set by the
attacker. If it is set by the attacker 2 hosts can be DoSed: the DNS server
itself and the host which will receive the responses (or error notifications
in case of the buggy queries).
Ad 4 the-binary has a hardcoded list of 11418 DNS servers which are used in
this attack. The same 9 queries as in DNS flood are used by this time in
different way: queries are sent to all of the DNS servers on the list with IP
source address set to the victim's IP. Then the victim is DoSed by the
responses (or error notifications as noted above) from all of the DNS servers
which are up at the time of attack. This attack has a potential of bandwidth
amplification of factor 2 (the response is ca. twice the size of the query).
However with 4 buggy queries out of 9 (error notification is almost the same
size as the query) it reaches only 14/9 ratio.
The binary uses a network data encoding process. Identify the encoding
process and develop a decoder for it
The encryption algorithm is simple: the first byte of data is incremented by 0x17
and the other bytes are processed from left to right (from the 2nd byte till the
last one), incrementing every byte by the previous byte and adding 0x17 to the
result. The encode routine (in fact it's an attempt to write a C code which
will compile to code as close to the one found in the-binary as possible):
void encode(uchar *encoded, uchar *data, int len)
{
int i;
encoded[0] = zero;
sprintf(encoded, "%c", data[0]+0x17);
for (i = 1; i < len; i++)
encoded[i] = data[i]+encoded[i-1]+0x17;
}
zero is a global variable of type int set to 0. Unfortunately it isn't as
closed (compiled with gcc-2.7.2 -O2) as the decode routine, also present in
the-binary:
void decode(uchar *decoded, uchar *data, int len)
{
int i = len-1, j, k;
uchar tmp[len];
uchar c;
decoded[0] = zero;
while (i >= 0) {
j = i-1;
if (i) c = data[i]-data[j]; else c = data[0];
k = c - 0x17;
while (k < 0) k += 0x100;
j = 0;
while (j < len) { tmp[j] = decoded[j]; j++; } // **
decoded[0] = k;
j = 1;
while (j < len) { decoded[j] = tmp[j-1]; j++; }
sprintf(decoded, "%c%s", k, tmp);
i--;
}
}
Identify one method of detecting this network traffic using a method that
is not just specific to this situation, but other ones as well
the-binary uses a seldom used IP protocol (0x0b) which can be dropped by
properly configured routers (with identification being logs of dropped
packets). Also IDS (Intrusion Detection Systems) can notify of any IP packets
of unused protocol.
Identify and explain any techniques in the binary that protect it from
being analyzed or reverse engineered
Frankly havent't spotted any. Besides two consecutive forks (as lcamtuf noted)
which could sometimes fool ptrace-based tools and rather messy code (see
decode function above).
Identify two tools in the past that have demonstrated similar
functionality
It would be TFN or Stacheldracht.
What kind of information can be derived about the person who developed
this tool? For example, what is their skill level?
The author seems to have problems with C programming in Unix evironment.
Temporary files used where pipes would be more appropriate, bizarre
programming constructions (passing IP as 4 ints, converting them to a string and
using gethostbyname at the end to get inaddr_t). Errors in DNS queries as well
as ignoring SIGCHLD twice suggest that cut-and-paste was used in creation of this
tool. Those bugs also prove that it didn't receive much testing.
I would imagine the author as a rather unexperienced person who created this
tool after reading some block-hats FAQs or tutorialson writing DDoS tools.
What advancements in tools with similar purposes can we expect in the
future?
The advancements can go in several directions:
- integrating worm functionality in DDoS attack tools. Those worms could be
quite sophisticated (as for the ones currently caught in the wild) to maximize
number of hosts taking part in a DDoS attack (imagine an attack mounted from
million hosts...)
- better hiding in system - integrating with kernel, using rootkits to cover
tracks, disabling or fooling any IDSes present on the compromised host,
fooling IDSes (e.g. using techniques described in "Insertion, Evasion, and Denial
of Service: Eluding Network Intrusion Detection" by Ptacek and Newsham)
- better attacks - ability to "learn" new attack techniques by downloading
additional modules form the net, using BGP routers to determine best network
routes of attack (e.g. identify all the links the victim is connected to the
net and try to saturate all of them)