A new attack tool, used by the blackhat community has been discovered and reverse engineered, it turns out that
our network has been used as a slave in a Distributed Denial of Service (DDoS) attack. Among with the DDoS features
the tool also allowed a remote hacker to take over the system completely by means of a rootshell bound to a port
and the possibility to execute single commands.
Detecting an infection on network scale
First of all make sure you watch your network for traffic on non standard IP protocols, this tool is using IP protocol
11 (NVP) to distribute its commands, but variants could be using another protocol. You can easily configure
snort to warn you if this kind of traffic is detected by enabling the
'Non-Standard IP protocol' and 'Unassigned/Reserved IP protocol' rules in the bad-traffic.rules file.
Other signs of an infection would be attempted DoS attacks launched from these machines, most of these attacks
include spoofed source addresses, so make sure you're router or firewall logs and blocks all spoofed packets that
clients attempt to send out. See RFC 2827 for more information.
Detecting an infection at a host
If a host is infected it is listening for data on a non standard protocol, you can see if it does by doing a
netstat -an | egrep ^raw. And checking if there are other protocols than tcp, udp and icmp listening.
Example on an infected machine:
testbox:~# netstat -a | egrep ^raw
raw 0 0 *:11 *:* 7
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
The line that says *:11 means it is listening for protocol 11, so this machine is infected!
Cleaning an infection
The tool usually hides itself as a [mingetty] process. This way it fakes to be a swapped out process but it is not
in the ps aux output look for processes called [mingetty] that have either a higher PID than other mingetty processes
or does not have the W flag set. Another method if identifying the process the attack tool is running under is by using
lsof to list open files.
testbox:/proc# lsof | grep raw
the-binar 194 root 0u raw 193 00000000:000B->00000000:0000 st=07
Shows that this machine is infected and shows that the tool is running as pid 194.
Cleaning an infection
When a machine is infected this means that not only the attack tool is running there but also that there is a remotely
exploitable hole in the machine, otherwise the tool could not have been installed! Be sure to update the machine with all
vendor supplied patches before bringing it back onto the network. You could use a tool like
Nessus to test the machines in your network for remotely exploitable holes.
After you are sure the system is secure again remove the tool by killing its process and removing the binary from the system.
Being prepared for attacks
An important part of securing systems is to be prepared for attacks and to know the hacker's tools. Be sure you are
subscribed to the same mailing lists the blackhat's are subscribed to (i.e. bugtraq) and regularly monitor webpages
that contain exploits (for example Packetstorm) to discover trends
and other information on the tools that WILL be used against you some day!
We have to take better care of keeping all of our systems secure, the fact that machines have been infected by this
tool indicates that they were vulnerable to remotely exploitable attacks. Be sure to install snort rules to
detect infections by this tool on a network scale and install firewall rules that will block IP spoofing from within our network.
Please report on the vulnerabilities you find on the machines you clean of the DDoS tool to allow better security monitoring
on our network.