Honeyp University was attacked on the 1st May, 2002 by an Internet attacker, targeting particular Linux systems within the University. A rogue piece of software was uploaded and executed on the compromised machines. The software was subsequently identified and analysed by Honeyp University systems security staff. This document describes, at a high level, the key components of the software, its purpose, and how to detect and defend against this type of software.
The purpose of the software was to attack other Internet systems, and saturate their network link. This renders their network unavailable to both their users, and users attempting to access them. The software was a combination system backdoor and denial-of-service agent. The denial-of-service agent was a multipurpose flooding system, similar to what was used to attack Yahoo! and eBay in early 2000. The backdoor component of the software allowed the attacker complete control of the system from their remote location.
The software listened for commands from an attacker, sent in a stealthy fashion designed to be difficult to identify. Upon receipt of the correct command sequences, denial-of-service attacks would be launched against the target contained in the command.
The software targets only Linux systems. The software would generate large amounts of network traffic from compromised hosts, and as such network performance would be typically degraded. If compromise is suspected, the software can be immediately identified by using the Unix command ‘netstat –an’ to identify listening raw sockets on protocol 11. Unix administration staff should read the advisory documentation provided with this information pack to find more information about the software.
Sample output of ‘netstat –an’ on a compromised host:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:23281 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:11 0.0.0.0:* 7
The software itself does not exploit any known
vulnerabilities in Linux operating systems. Therefore it is imperative
that exposed systems be kept to their current patch revisions to prevent
the initial compromise prior to the software being installed.
Using the software and documentation provided by Honeyp University systems security staff, the binary itself can be identified and removed. The software (detect.c) can be compiled and used by systems administrators to detect this particular software, and further technical information can be gained from the advisory documentation contained within this information pack.
Because of the malicious nature of this software, it is possible that the attacker may have modified other components of the system. For each case of detection of the malicious software within Honeyp University, Honeyp University systems security must be contacted, to determine the best course of action to prevent re-compromise.