Summary Report - the-binary, A Denial of Service Agent
May 27, 2002
Recently, an unauthorized piece of software was recently discovered on
one of the computers in the Honeynet project's experimental network.
The program was found only in its compiled, binary form, and no source
code was found to aid in determining the purpose of the program.
A reverse engineering effort was conducted in an attempt to determine the
purpose of the binary and detail its capabilities. The results and
effective countermeasures would be shared with the computer security community
This summary will briefly explain:
Motive for installing this program on the Honeynet system
The means by which this program may have been installed on the system
The capabilities of the program
How to detect and how to remove this program from infected systems
Denial of Service Attack Tools
Reverse engineering efforts identified this program as an "agent"
component of a Distributed Denial of Service (DDoS) network. A DDoS
network is a collection of compromised computers on which components of
a DDoS system have been placed. These components, when activated
by a malicious user, act in concert to deny a victim access to some resource
or service. A simple example of a denial of service attack would
be overwhelming a web based business, Amazon.com for instance, with bogus
connection requests. While the servers are busy handling the malicious
requests, legitimate customers might find it difficult to connect, possibly
resulting in lost revenue. Another example of a denial of service
might be flooding a corporate mail server with connection requests in order
to slow and perhaps even stop its performance. The resulting slowdown
in corporate communications could possibly wreak havoc on the company's
ability to perform its mission.
Denial of Service Networks
In order for an attacker to launch an attack of sufficient magnitude to
bring high-powered servers to their knees, an attacker will generally attempt
to create an army of computers that will, upon command, generate volumes
of traffic directed at a target system potentially disrupting normal functions
of the target system. An attacker will typically seek to compromise
as many accessible systems as possible in order to install DDoS tools and
to construct a DDoS army. Using compromised systems has several advantages
to the attacker:
A small snapshot of a typical DDoS network is shown to the right. A small
number of attaskers control a pyramid structure of handlers, which in turn
control an even larger layer of agents. The agents act as a force
multiplier for the attacker. On command from the attacker and via
the handlers, the agents launch a coordinated attack against a single target.
The attack generally attempts to consume some resource on the target machine,
making it unavailable for its intended purpose.
When the attack is launched, it will be conducted from machines other than
the attacker's and will not tie up the attacker's resources
The target system will fall under attack from many directions, making it
difficult, if not impossible, to trace the
attack back to its single point of origin.
Construction of The DDoS Network
An attacker constructs a DDoS network by taking control of as many computers
as possible. This usually takes place by exploiting known vulnerabilities
in operating systems or applications. With each newly exploited system,
the attacker extends the attack network. In many cases, gaining control
of one computer can lead to the exploitation of additional systems.
In highly automated attacks, an attacker's initial exploit may be self-propagating,
and preprogrammed to launch a DoS attack at a specific time and against
a specific target. The Code Red worm, which propagated via a vulnerability
in the Microsoft IIS web server, is an example of such an automated tool
whose eventual goal was to launch a denial of service attack against www.whitehouse.gov.
"the-binary", the topic of this summary, has no self-propagating properties.
It does, however require root privileges in order to execute properly,
and one can assume that if this program is found running on a system, the
computer has been fully compromised.
Capabilities of the-binary
This particular program offers its owner (handler) several capabilities.
The main functions are highlighted below
Control commands utilize "Network Voice Protocol II" IP headers
A status reporting capability that allows the handler to remotely determine
the current state of the program
Result reporting to as many as 10 handlers
Execution of any command on the infected system with output of the command
optionally sent to designated handlers
Initiation and termination of any of 5 different styles of packet flooding
DoS attacks. Floods, once initiated continue indefinitely until terminated
by the handler. Packet floosing options include:
Flood a target with DNS responses, which are generally allowed through
a firewall unless the firewall is "stateful" and has failed to see the
originating DNS query.
Flood a target with TCP connection requests without following up and completing
the connection, causing the target to go through a lengthy time-out process
before resetting to await a new connection. (TCP SYN Flood)
Flood a target DNS server with DNS queries.
Flood a target with ICMP Echo requests (Ping Flood)
Flood a target with UDP packets directed at a specific port.
Attempts to hide itself in ps listings by renaming itself after
it starts ("[mingetty]")
Detection and Removal
A significant sustained increase in network traffic is a strong indication
that a DoS tool is active within your network. With this particular
tool, a simple network sniffer, such as ethereal or tcpdump, will be able
to provide the MAC address from which the DDoS attack is originating.
"the-binary" makes no attempt to disguise itself at the ethernet address
level MAC spoofing), though it does do IP address spoofing. A simple
tool is available to scan class C subnets for the presence of active
agents. Once a machine is determined to contain the tool, the binary
file can be located on that machine by grep'ing for the string "TfOjG",
which is the encoded version of the backdoor password. It should
be assumed that any machine found to contain this program has been fully
compromised, and appropriate incident response measures should be instituted
for each infected machine.
Defense against "the-binary" takes on three forms
Keep system security patches up-to-date on all systems so that no system
in your network becomes an agent system.
Perform egress filtering on border routers so that packets containing spoofed
IP addresses are dropped. This will keep your network from contributing
substantially to a DoS should one of your machines become compromised.
At your firewall, deny all protocols that are not in use on your network.
Once you have configured any rules for allowed protocols, make sure you
deny any other protocols by default.
Perform rate limiting on incoming connections from the same IP address
Useful Sites for Additional DDoS Information
Denial of Service Attack
- The SANS Institute
Denial of Service (DDoS) Attacks/Tools - David Dittrich, University