Security Advisory by mat


1. Description
	Some backdoor and DOS agent program named the-binary is spreading these day. These
	binary uses raw socket for it's communication with the master. And the packet is
	forged, and the detection of the communication is not so easy.
	This program uses IP protocol, but not TCP or UDP or ICMP. It uses their own IP
	protocol number 11 as their communication protocol. And this makes it's detection
	hard. And the communication is slightly encoded and the contents of the packet flow
	is not clear text in most cases. 
	The binary work mainly on Linux systems. We don't know whether some variants for
	other platforms exist. 
	


3. The threat it poses
	It's main function is to act as a DOS agent. I can create classic SYN flooding packets
	and massive DNS packets. With it's ability it can crash or lock up small 10MB network.
	But if it is distributed and master commands them simultaneously to attack some
	target, it can crash or lock up 100MB or bigger networks.
	


4. How to detect
	You can detect them by many routines.

		1. In the network
		First, if your network is somewhat slow or Internet connection dies sometime. Check
		the network with tcpdump and find some massive traffic like SYN flooding or massive
		DNS packets. If you can find them, it can be the traffice generated by this agent.
		If the source of the massive traffic is located within the segment, you can spot
		them with the MAC address.
	
		And fundamentally you can detect this agent by watching the IP protocol 11 traffic
		with snort or tcpdump, or ethereal. But you must wait for much time before detect
		the command packet.
		But the variants can slightly change th protocol number and the detection is somewhat
		difficult for that. If they use TCP or UDP protocol number for their own proprietary
		protocol, the detection will be hard work.
		The watch for the network traffic and finding abnormal and unusal traffic is needed.

		2. In the system
		Check your Linux systems and verify they are not root compromised. And use ps to
		locate "[mingetty]" process. Your system can have this process up by default. 
		matter:~/tb/t2# ps ax|grep ming
		13274 ?        S      0:00 [mingetty]  
		13290 ttypf    S      0:00 grep ming
		Use "lsof" command to verify that this process is not the-binary. lfof reveals the
		original process name. 
		the-binar 13274 root  cwd    DIR        3,2    4096         2 /
		the-binar 13274 root  rtd    DIR        3,2    4096         2 /
		the-binar 13274 root  txt    REG        3,4  205108    912437 /mnt/archive/re/output/tb/t2/the-binary
		the-binar 13274 root    0u   raw                     18833170 00000000:000B->00000000:0000
		st=07
	
		By the last of line of "lsof" command, you can conclude that this program uses raw
		socket and must be some kind of hostile code.


5. Defend Against
	Block unused IP protocols on your routers and firewalls. And use IDS to detect the
	usage of the rarely used or never used protocols for backdoor usage.
	On Linux systems, make sure that all the security patches have been adapted. And
	make sure that no root compromise have been happend.