Abstract

One of the Linux machines belonging to honeyp.edu was recently broken in to (hacked, in popular but wrong terms), and a software tool was installed on it by the attacker. Upon detailed analysis, the security team found that the installed software (referred to hereafter as the "Prot11 zombie" or generically as the "malware") was primarily a Distributed Denial-of-Service (DDoS) attack tool. It was installed to help the attacker temporarily shut down other computer systems, either inside Honeypot University network or on the Internet (e.g. Yahoo, Hotmail), using well-known attack techniques like DNS flood, IP fragment attacks, and TCP SYN flood. The Prot11 zombie has the capability to be remotely controlled by the attacker from anywhere on the Internet, in a stealthy way. In many ways it is similar to tools that were used in early 2000 to cause major service disruptions to CNN, Amazon, and eBay. Even though the Prot11 zombie was found on a Linux system, it is possible that it could work on other platforms as well. Methods that can be used to detect the presence of the Prot11 zombie include using network scanning tools (e.g. Nmap), examining systems with trusted security software, and using an Intrusion Detection System (IDS) configured to identify abnormal IP protocols. Measures that can thwart or reduce the effectiveness of attacks launched by such tools include egress filtering at Internet gateways and filtering out unused protocol at the firewall. If you are an end-user and would like your systems tested, please contact your system administrator. If you are a system administrator, please see the accompanying technical advisory for technical details on detecting and dealing with this malware.

How does the tool work?

The following fictitious example shows how the Prot11 zombie could be used to put amazon.com (or even honeyp.edu) out of business at least for some time. While the example is fictitious, the capabilities of the tool are real.
  1. The attacker breaks into a honeyp.edu host, installs the Prot11 zombie, and starts it running.

  2. The attacker starts a controller program on his machine (or some other compromised machine).

  3. The controller sends a command to the attack tool, using an unused (and often non-monitored) network protocol. The command instructs it to launch a TCP SYN attack against www.amazon.com, Amazon's World Wide Web server.

  4. The attack tool sends TCP SYN packets to www.amazon.com at a very rapid rate (specified by the attacker). www.amazon.com is so busy handling these packets that no other business could be performed for some time.

  5. To www.amazon.com, these packets will not appear to come from where they are actually coming from, but from some arbitrary IP address. If the random source IP feature of the attack tool is turned on, they will all appear to be coming from different machines.

  6. After a while, the controller instructs the attacker to stop.
TCP SYN flood one of the attacks provided by the tool. Other attacks that the Prot11 zombie can perpetrate are DNS request flood, DNS response flood and IP fragments flood. Note that this is in fact a very simple example. It is entirely possible that the controller operates many of the Prot11 zombies simultaneously, perhaps through a well-known technique of "amplifiers", with the result of hundreds of zombies simultaneously attacking the www.amazon.com server. It should also be pointed out that while the source address of the attack traffic can be forged, with some work the attack packets can be traced back to their origin, or to honeyp.edu in this case, which might face some liability for providing the platform that launched part of the attack. For this reason, it is very important that such tools be discovered and removed from within the honeyp.edu network as quickly as possible.

Other threats posed by the tool

Though the Prot11 zombie is primarily a Denial-of-Service tool, it can also be used to help the attacker take over other systems inside Honeypot University network. This power comes from the ability of the attack tool to execute any commands (specified by the attacker) on the victim machine with administrator privileges. This capability is sometimes referred to as a "backdoor" into the compromised system, because the attacker can return and use the system without having to go through the standard authentication procedure. For example, the attacker could run a key logging program to collect passwords typed on the victim machine by the users while logging into other machines. This then allows the attacker access to those machines. Thus it's not difficult for the attacker to take over an entire network in a short period of time.

How to detect presence of such tools

If you are an end-user, it is best to contact your security or system administrator to evaluate whether your machine has the Prot11 zombie installed. There are subtle issues that arise in testing a system which may have been compromised, and security administrators have experience in dealing with these issues. The following tips are given for more technically knowledgable users, and more details can be found in the accompanying technical advisory.

First, the system administrator should be aware of what services are supposed to be offered by a machine. Only the corresponding protocols (e.g. TCP which is IP protocol no. 6, UDP which IP protocol no. 17) and ports should be open on the machine. This can be checked from a "safe" system (one that is known to not be compromised) using scanning software like Nmap. If any protocols or ports are found open other than the authorized services, it's possible that you are some attack tool. In particular, a "protocol scan" can be performed with Nmap to see if the machine is accepting IP protocol 11 packets, which is an indication of the Prot11 zombie running.

The Prot11 zombie may also show up in a process listing (the output from ps -ef) using the program name [mingetty]. Note that "mingetty" is actually a legitimate program, but the true mingetty program will show up in the process listing without the square brackets. Also, netstat can be used to see if there is a process listening for raw protocol 11 packets. Warning: The techniques just described are not a reliable way of determining that your system is not running the Prot11 zombie! Remember that if the Prot11 zombie has been installed, then the machine has been compromised, and the attacker could have easily installed programs (sometimes called "rootkits") that can make it so the zombie does not appear in either ps output or netstat output. While seeing the signs just described are signs that the Prot11 zombie is running, lack of these signs is not an indication that your machine is clean!

If an unknown binary is discovered on your Linux system, it can be checked to determine if it is the Prot11 zombie. First, execute the following command from a Linux shell (the middle character of "TfOjG" is a capital letter O): 

    strings unknown-binary | grep -C3 TfOjG
If the "unknown-binary" is the Prot11 zombie, the following output will be seen: 
    [mingetty]
    /tmp/.hj237349
    /bin/csh -f -c "%s" 1> %s 2>&1
    TfOjG
    /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin/:.
    PATH
    HISTFILE

Finally, an Intrusion Detection System (IDS) can be configured to detect the control packets for the Prot11 zombie. In particular, the IDS should flag any IP protocol 11 packets as being suspicious (in general, all protocols and ports other than the useful ones should be flagged).

When attacking other sites, this tool will produce a very high volume of network data. You might be able to notice that using tools like sysstat, which summarize your system activity.

How to defend against these attacks

Obviously the best defense against the Prot11 zombie is to not have your systems broken into in the first place. Systems should be kept up-to-date with the latest security patches, and should be properly administered to achieve a reasonable level of security. However, despite the best efforts toward these goals, system security will occassionally be breached. To protect against the Prot11 zombie, or other DDoS tools, the following general techniques are useful:
  1. All protocols and ports other than the useful ones should be blocked at the firewall, so that the attacker cannot communicate with the attack tool to launch any attacks.

  2. The network traffic generated during attacks has a typical behavior. IDS signatures can be developed or purchased (if not already present) to detect the kind of traffic, and flag it as suspicious.