Commands
Common Setup
All commands are contained in a single IP packet with protocol 9. Immediatedly following the IP
header is two byte, the first of which must be two. The second byte is ignored. There are two
requirements on the rest of the packet. First it must be long enough so that the entire packet is
more than 200 bytes. Secondly it is encoded with the process listed earlier.
Command 1: Query
Get current status.
Byte Length Content 0 1 0 1 1 1 Command numberThis command returns the current status of the program. The entire payload is encoded using the same algorithm that the commands are and sent in an IP proto 9 packet. The details of where the response is sent are given in the description of command 2. The contents of response is as follows.
Byte Length Content 0 1 ??? contents of x80675e5 1 1 1 2 1 7 3 1 mode 0 = none; 1 = activeThe rest of the data return is random (actually just what ever is in the receive buffer) The total lenght sent is random from 400 to 600 (plus IP header).
Command 2: Config
Congigure return mode and addresses.
Byte Length Content
0 1 0
1 1 2 Command number
2 1 mode ( 0, 1 or 2)
3 4 IP primary response IP
{if mode == 2
7 4 IP alternate or noise
11 4 IP alternate or noise
15 4 IP alternate or noise
19 4 IP alternate or noise
23 4 IP alternate or noise
27 4 IP alternate or noise
31 4 IP alternate or noise
35 4 IP alternate or noise
39 4 IP alternate or noise
}
This command sets up the binary for responses. In mode 0 the responses are sent directly to primary
response IP. In mode 1, 9 random address are generated and the primary IP is inserted into random
position in the list. The responses are then sent to each of the ten in turn. In the last mode the
10 address are directly taken from the command. One of the address, however, is dropped at random,
using whatever address was last in that slot.
Command 3: Run
Run a command and return results.
Byte Length Content 0 1 0 1 1 3 Command number 2 (1,255) text command to executeThe command specified is executed and the output (stdout and stderr) are returned. The response packets are sent to the locations as described in Command 2. The file is sent 400 bytes at a time in an IP protocol 9 packet. The payload is encoded using the same algorithm that is used to encode the commands. The format of the payload is as follows:
Byte Length Content 0 1 unspecified 1 1 first 3 = first packet of response; 4 = following packet 2 (1,400) data
Command 4: DNS1a
DNS attack form 1 version a
Byte Length Content 0 1 0 1 1 4 Command number 2 4 IP 6 2 port udp source port (network order) 8 1 flag non-zero means use hostname 9 (0,255) text hostname of targetThe binary contains a list of IP address starting at 0x806d22c, These address are listed in the file "target_ip_addrs". This attack sends a series of DNS queries to the IP addresses in the list. The source address for the queries is taken from either the IP address in the command or if host_flag is non-zero, the hostname.
The queries sent are SOA requests for the following domains: com, net, de*, edu, org, ucs.edu, es*, gr*, and ie*. The entries marked with the * are invalid requests. Looking at the contents of the packet for the de request we see.
0 0050 56c0 0001 0050 56cf e782 0800 4500 .PV....PV.....E. 10 0030 0b00 0000 da11 a991 1211 100f 0405 .0.............. 20 0607 0035 0035 001c 0000 0c37 0100 0001 ...5.5.....7.... 30 0000 0000 0000 0364 6500 0006 0001 .......de.....The query it self starts at 0x36. The three is taken as the length of the name to look up. This picks up the 'd', 'e' and '\0'. The 0006 is the type SOA and 0001 is class INET. However, DNS expects a zero byte after the strings and so picks up the 00 from 0006. This throws the type and class off and the query is short by one byte. It appear that the author mistakenly used the 3 that is in the com, net, etc. queries. This list was generated by watching the packets with ethereal and observing its decoding of the DNS protocol. A copy of the output of a sample of all nine querie used is in dns.txt.
Command 5: UDP/ICMP
Byte Length Content 0 1 0 1 1 5 Command number 2 1 select 0 = ICMP 1 = UDP 3 1 dport destination udp port 5 4 IP IP destination 9 4 IP IP source 13 1 flag non-zero means use hostname 14 (0,255) text hostname of targetThis command will start an attack using either UDP packets of ICMP packets depending on the value of select. For the UDP attack the destination port is provided in the command. The source and destination IPs are provide, or the destination can be specified by hostname and setting the host_flag to non-zero. The ICMP packets are set up as ECHO REQUESTs (pings).
Both of these attacks, however, us a malformed IP header. The fragment bit is clear, but a fragment offset of 65520. The size of the offset leads on to beleive that part of the intent is to cause an overflow.
Command 8: SHELL
Byte Length Content 0 1 0 1 1 6 Command numberThis commands allows the remote user to connect to the machine with a shell. It spawns a server that listens on port 23281. Once a connection is established, it checks the data it receives for the string "SeNiF\n". If found it will fork a subprocess that hooks the socket to its standar io descriptors and execs a bourne shell. The attacker then has full access to a root shell.
Command 7: SYSTEM
Byte Length Content 0 1 0 1 1 7 Command number 2 (1,225) text command to executeCommand 7 executes the given command. Nothing is returned. The effect is only whatever effect the command has.
Command 8: KILL
Byte Length Content 0 1 0 1 1 8 Command numberThe binary remembers which attack it is currently executing (SHELL counts as an attack here). This is one of the pieces of information available with the QUERY command. This command will stop the attack by killing the process running it.
Command 9: DNS1b
Byte Length Content 0 1 0 1 1 9 Command number 2 4 IP 6 1 burst 7 2 port udp source port (network order) 9 1 flag non-zero means use hostname 10 (0,255) text hostname of targetThis attack is very similar to the DNS1a attack. The only difference is the burst parameter. With the original attack, a very short delay (300 microseconds) between each packet. Here the binary will send out {burst} packets before delaying. There is also a counter that controls how often the hostname is looked up. The counter starts at 2428 an is decremented once for each burst (or packet if there is no burst). This counter is implemented in all attacks that provide a hostname.
Command 10: TCPa
Byte Length Content 0 1 0 1 1 10 Command number 2 4 IP destination ip 6 2 dport destination port (network order) 8 1 rand_flag non-zero means use random source addr 9 4 IP source ip 13 1 host_flag non-zero means use hostname 14 (0,255) text hostnameTCPa implements a traditional SYN flood attack. The target is specified by the first IP address or the hostname. If rand_flag is 0 then a random source address is used for each packet, otherwise the provided one is used.
Command 11: TCPb
Byte Length Content 0 1 0 1 1 11 Command number 2 4 IP destination ip 6 2 dport destination port (network order) 8 1 rand_flag non-zero means use random source addr 9 4 IP source ip 13 1 burst 14 1 host_flag non-zero means use hostname 15 (0,255) text hostnameThis attack is exactly the same as TCPa, with the addition of a burst parameter as used in DNS1b.
Command 12: DNS2
Byte Length Content 0 1 0 1 1 12 Command number 2 4 IP dest IP 6 4 IP source IP or zeros 10 1 burst 11 2 sport source port (network order) 13 1 host_flag non-zero means use hostname 14 (0,255) text hostnameThe final command issues a DNS attack agains a particular target. As with the other commands the target can be sent by IP address or hostname. The source address may be specified or be random for each request. The sequence of requests is the same as in DNS1a and DNS1b