Forexpros gas natural46 comments
Which us brokers are available to trade with binary options robot
The caputured binary is a backdoor program with the capability of launching denial of service attacks. It is designed to run on Linux systems. The attacker needs root access to install the backdoor on a comprimised machine. Once the binary is installed, the attacker uses a special backdoor client program to establish a connection to the system and execute commands. An interesting feature of the backdoor program is its use as a distributed denial of service DDoS tool.
When the backdoor receives a command from the attacker containing the victim's ip address or hostname , it starts a DoS attack against it. The DoS packet engine is very flexible and allows for many different kinds of attacks: With enought machines under the attacker's control, she can successfully impact major Internet sites, as evidenced by the events in Februrary When the binary is started, it detaches itself from the controlling tty and becomes a background process.
It overwrites its argv with the string "[mingetty]", which is the default name of the login process on RedHat systems.
Then it opens a raw socket and waits for command packets from the backdoor client. The communication channel between the backdoor and the client is rather ingenious. It is perhaps the most interesting part of this tool. The backdoor uses a unique approach to conceal the identity of the attacker who controls it. The client communicates with the backdoor via IP packets with the protocol field set to 0x0B 0x11 , which is an unassigned protocol number. These IP packets are very similar to UDP datagrams, in that they don't offer reliability and retransmission but can be easily spoofed.
All the packets sent from the client to the backdoor are spoofed, making it almost impossible to trace them back to their real source.
The only way to track down the attacker is to trace the replies from the backdoor to the client. How does the backdoor know where to send the replies to? When the attacker wishes to communicate with the backdoor she sends an init command containing 10 IP addresses, encoded with a proprietary XOR-strength encryption algorithm.
The source of the packet with the init command can be spoofed because the backdoor only uses the IP addresses inside the packet payload. Upon receiving the init command, the backdoor stores the client IP addresses. All replies are sent to all 10 client IP addresses. Only one of them needs to be the real IP address of the attacker. Looking at traffic generated by the backdoor it's impossible to the tell which address is the real one. If a system administrator or the authorities decide to go through the logs and track down the attacker, they will get 10 possible addresses, 9 of which are completely unrelated to the incident.
Many of the backdoor DDoS commands don't even send back replies and can be triggered with only one spoofed packet. There are 11 different commands that the backdoor can execute.
Each of them has a number of parameters. Here is a list of all commands and their descriptions:. The init command initializes the backdoor address list. If type is 0, only one IP address has to be specified in the ip parameter. All replies from the backdoor are sent to this IP address.
If type is 1, the replies will be sent to this address and 9 other random addresses. If type is 2, the attacker specifies 10 IP addresses and the replies are sent to all of them. The status command causes the backdoor to send a reply packet with the type of the currently running DoS or shell process.
Only one such process can be started at a time and it should be kill with the kill command when it is no longer needed. If no process is running, status return 0 idle. The kill command kills the currently running shell or DoS process. The shell command in the cmd is executed by the backdoor. Its stdout and stderr are discarded. No reply is sent. Its stdin and stderr are captured and the output is sent to the client as reply packets.
The attacker can use telnet or netcat to connect to this port. The first line sent to must match the backdoor password, otherwise the connection is terminated. The password in the binary captured by the honeynet project is "SeNiF". To kill the shell process, use the kill command. Launches a UDP flood attack.
The backdoor forks a new process which sends the packets. To stop the attack, use the kill command to kill this process the same applies to all DoS attacks available in the backdoor. The victim can be specified with the dst or hostname parameters. If a hostname is used it is resolved again after every packets have been sent, in case the dns record of the victim has changed. The source of the packets can be spoofed with the src parameter.
A variation of this attack is the ICMP smurf attack. If the attacker sends spoofed ICMP echo requests to the broadcast address of a vulnerable network, all hosts on the network will send their responses to the victim. The entire network will act as a traffic amplifier for the attack. This kind of attack was first reported by Edward Henigin in It is possible to use the backdoor a tool for a ICMP smurf attack, but we'll have to use the IP address of the victim, because the author of the backdoor did not include support for resolving the source IP address of the packet.
Launches a SYN flood attack. A good description of the SYN flood atack is the Phrack 48 article by route. The victim is specified with the dst or the hostname parameters.
The source ip address can be specified with src or left empty, in which case a random address is generated for each packet. It should be an open TCP port on the victim's system. If the parameter is not specified, the process sleeps after each packet.
Launches a DNS queries flood atack. Sends DNS queries for top-level domains. Useful for bringing DNS servers down. The victim is specified with the dst or hostname parameters. The source ip address of the queries can be given in src or a random address will be generated for each packet. Launches a DNS smurf attack using publicly accessible nameservers as traffic amplifiers.
The backdoor binary contains a hardcoded list of more than DNS servers. The backdoor forks a process which continuously sends DNS requests for top-level domains.
The address is resolved again after packets are sent, in case the dns record of the victim has been changed. All DNS servers will send their replies to the victim's ip address, causing a denial of service. If it is not specified, the process sleeps after each packet. All the packets between the client and the backdoor are sent as IP packets with protocol number 0x0B. They have the following format: Packets that contain commands from the client to the backdoor have a packet type of 2.
After decoding the packet data, the backdoor looks at the byte at offset 23 in the IP packet. It contains a number, identifying the backdoor command. Each command has a variable number of parameters which are stored at offset Packets sent from the backdoor to the client have a packet type of 3. The reply type is stored at offset The replies to the status command have a reply type of 1.
If the byte at offset 25 is 0 then the backdoor does not have a shell or DoS process running. Otherwise the byte at offset 26 contains the command id of the command that forked the child process. It is sent as a null terminated string, starting at offset A decoder for the backdoor communication protocol is available: It uses libpcap and can sniff traffic in realtime or read tcpdump files.
Running it on snort. There are two approaches an attacker can take to hide her traffic. She can try to mimic existing traffic as closely as possible, or she can try to make her packets stand out so much that nobody notices. Both approaches have advantages and disadvantages. The author of the this backdoor used an unused IP protocol number, relying on the fact that most firewalls and IDSes have an "accept by default" policy. Snort rule to detect traffic with an unknown IP protocol: Of course this doesn't help much, since there are lots of other ways to sneak traffic past a firewall or an IDS.
The author of the binary has tried to make it harder to analyze it by compiling it statically. This makes it impossible to tell which library functions are used with simple tools like objdump -t, but it doesn't stop more advanced tools like IDA and Fenris.
For more information on using IDA see the analysis section.