Q1.     Identify and explain the purpose of the binary.

The binary is a daemon program acting as a slave in a Distributed Denial of Service (DDoS) system which consist of at least a 2-tier structure. The daemon is planted and executed on a victim machine. It will then open a raw socket of IP protocol 11, and waits on the socket for commands sent to it by a master, to carry out a selected DDoS attack against a specific victim. By  instructing numerous such slaves to act simultaneously and in a concerted manner, the master can  achieve bandwidth amplification and cause considerable damage to the bandwidth and responsiveness of the victim, thus causing a denial of service on the victim.

Readers are urged to refer to the CERT document on "Trends in Denial of Service Attack Technology" [1] to learn about the past, present and future trends of DDoS technology.

Q2.    Identify and explain the various features of the binary. What are it's capabilities?

The binary has 12 functions that can be called upon by its master. These 12 functions can be broadly categorized into 3 types: administrative functions, shell functions and DoS attack functions.

Administrative functions include:
Shell functions include:
DDoS attack functions include:
The binary also features a network encoding process to hide the communications between itself and the master. See the next question.

Q3.    The binary uses a network data encoding process. Identify the encoder process and develop a decoder for it.

The encoding and decoding algorithm is actually quite simple. It can be described succinctly as follows:

Co = Po + 0x17
Cn = Pn + Cn-1 + 0x17, for n > 0
where Cn and Pn are the n'th byte of the encoded text and plain text respectively.
Pn = Cn - Cn-1 - 0x17,  for	n > 0
Po = Co - 0x17
where Cn and Pn are the n'th byte of the encoded text and plain text respectively.
Here is the encoder asm listing and its pseudo-C equivalent.
Here is the decoder asm listing and its pseudo-C equivalent.

Q4.    Identify one method of detecting this network traffic using a method that is not just specific to this situation, but other ones as well.

The binary uses IP protocol 11 to communicate with its master. This is an uncommon Internet protocol. Deploying an IDS like snort [2] can easily detect this kind of anomolous network traffic, among others.

Q5.    Identify and explain any techniques in the binary that protect it from being analyzed or reversed engineered.

There appears to be three main protection mechanisms:

Q6.     Identify 2 tools in the past that have demonstrated similar functionalities.

The binary seems to sit in between the Tribes Flood Network (TFN) [3] and Stacheldraht [4] DDoS tools in terms of functionalities and features. Their architectures and control structures are similar. This binary has more attack options than TFN. It also sports network encoding, but in this regard is not as advanced as Stacheldraht which uses proper encryption  instead of a home-brew encoding algorithm.

Bonus Q1.    What kind of information can be derived about the person who developed this tool? For example, what is their skill level?

This DDoS daemon does not seem to have any particularly clever features. Functionality wise, it is very much a standard set. There are ample sources of sample codes that the programmer can base his code on to implement these functions. Where the programmer tried to be clever, he fell short of putting in a proper effort. For example, both the network data encoding algorithm and the remote shell password hiding scheme are trivial. He could have easily employed proper encryption, or proper password hashing, which are already becoming commonplace in today's rootkits.

At the end of the Analysis.html document, we also highlighted a bug that we uncovered that may cause plain-text to appear in the reply packets sent by the binary, even though the data is supposed to be fully encoded. This is a result of poor programme design and insufficient testing.

Therefore we consider the programmer's skill level to be at most intermediate only.

Bonus Q2.    What advancements in tools with similar purposes can we expect in the future?

We see advancement in DDoS tools in the following areas:


[1] "Trends in Denial of Service Attack Technology", www.cert.org/archive/pdf/DoS_trends.pdf
[2] Snort - The Opensource Network Intrusion Detection System, http://www.snort.org
[3] "The 'Tribe Flood Network' distributed denial of service attack tool", http://staff.washington.edu/dittrich/misc/tfn.analysis, Dave Dittrich, Oct 1999.
[4] "The "Stacheldraht" distributed denial of service attack tool,  http://staff.washington.edu/dittrich/misc/stacheldraht.analysis, Dave Dittrich. Dec 2002.