CSIRT honeyp.edu ADVISORY AD-2002-01
"the-binary" Distributed Denial of Service Tool
Date: Friday, May 31,2002
In early May 2002, honeyp.edu CSIRT received a report of a site finding a new distributed denial of service (DDOS) tool that is being called "the-binary". The purpose of the tool is to enable attackers to utilize an Internet connected system to launch packet flooding denial of service attacks against one or more target systems. It also provides the attacker a backdoor to the compromised system, allowing a complete remote control of it.
The "the-binary" tool consists of an agent and a handler portion. The tool behaves as agent or as a handler depending on the commands sent to it from a master. Only the agent/handler part has been found in the wild, but much of the master part capabilities can be inferred from the agent/handler code.
The handler, the agent and the master communicate through the non-standard 0xB protocol, so they need root access to craft specially formatted IP packets. Additionally, the agent crafts forged packet headers to launch its Denial of Service attacks. All communications between them is ciphered with a simple encoding algorithms, so no clear text is transmitted over the wire.
The handler is controlled from the master part, but no password protection or the like is provided, so, once the system is compromised and "the-binary" is running, anybody with access to a master and a network connection to the system can take control of its actions.
At an attacker will, the handler can execute any of the following actions:
- Answer to requests for 0xB protocol (a kind of ‘ping’ utility to show systems still compromised).
- Relay all commands sent from the master to the final agents, acting as a proxy.
- Open a root shell over a TCP connection. Default port used is 23281. Access to the shell is protected with a default password of "SeNiF".
- Run a single command in the target system, viewing the results through the encoded connection if requested.
- Launch SYN attack over specified hostname/IP address and TCP port.
- Launch UDP flood DoS attack over specified hostname/IP address and port.
- Launch DNS queries flood DoS attack over specified hostname/IP address.
In a DoS attack, source IP addresses can be randomly generated or forced to be a specific IP address.
Note that the default control protocol (0xB), TCP port shell backdoor and default access password can be easily changed without altering the tool capabilities.
Detection of the tool
The following symptoms could indicate a system compromised with "the-binary" tool:
- Incoming / Outgoing traffic to non standard protocols over IP packets (i.e., traffic not being TCP, UDP, etc... type). Specifically, the instance of "the-binary" found uses the 0xB protocol, but other versions of it could be compiled with a different arrangement.
- Unusual levels of outgoing TCP/UDP traffic, specially lots of DNS queries of SOA records.
- One or more [mingetty] processes eating CPU.
- Sockets opened in raw mode in the system. This can be checked with the lsof command.
- Finding a file named /tmp/.hj237349 (the default temporary file name).
- Connections to TCP port 23281 (the default port for the backdoor shell).
"the-binary" tool has only be found in a Linux system, but there is nothing in it that prevents from being easily ported to other Unix systems.
The tool provides a complete Distributed Denial of Service system, that could be used to attack other network connected systems, including the compromised system itself. The tool is not capable of compromising the system by itself, so initial compromise is made through other means, such as known exploits or system mis-configuration.
Distributed denial of service (DDoS) tools in general are capable of producing high magnitude packet flooding denial of service attacks. At the time of this writing, we cannot assure that the "the-binary" tool is being used in these type of attacks, but it is definitively capable of producing a severe denial of service condition against one or more victim sites.
Those systems with "the-binary" installed are totally compromised. So, in order to recover from the attack, the whole system should be recovered:
- Reinstall a clean version of the operating system
- Disable unnecesary services
- Install all vendor security patches
- consult vendor and CSIRT advisories
- use caution if reloading data from backups
- change all passwords
Detailed steps on how to recover from a root compromise can be obtained from http://www.cert.org/tech_tips/win-UNIX-system_compromise.html.
Prevent other security incidents, improving whole system security:
- Review system security for configuration problems
- Install security tools
- Enable maximal auditing
- Install/configure firewalls to defend networks
- Install/configure network & host intrusion detection systems
In particular, to prevent a system to participate in a DDoS attack, firewalls and routers should be configured to filter outgoing traffic, blocking any packet whose IP origin does not belong to the internal network (egress filtering).
The CERT/CC has published several resources discussing distributed denial of service tools. These resources contain advice on handling distributed denial of service attacks and the associated tools, available from http://www.cert.org:
- CA-2000-01, Denial-of-Service Developments
- CA-99-17, Denial-of-Service Tools
- IN-99-07, Distributed Denial of Service Tools
General information about DDoS attacks can be obtained here:
Information about other DDoS tools can be obtained here:
- Tribe Flood Network, http://www.cert.org/incident_notes/IN-99-07.html
- Stacheldraht, http://www.cert.org/advisories/CA-2000-01.html
- Shaft, http://www.sans.org/y2k/shaft.html
Several independent analysis of "the-binary" were produced by other reverse challenge contestant and will be available from http://project.honeynet.org/reverse.
Authors: G. Martin, J. Ortiz, D. Perez, R.Siles.
Honeyp.edu CSIRT Contact Information
Phone: +1 000-000-0000 (24-hour hotline)
Fax: +1 000-000-0000
CSIRT-Honeyp.edu personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on holidays, and on weekends.