Security Advisory by mat 1. Description Some backdoor and DOS agent program named the-binary is spreading these day. These binary uses raw socket for it's communication with the master. And the packet is forged, and the detection of the communication is not so easy. This program uses IP protocol, but not TCP or UDP or ICMP. It uses their own IP protocol number 11 as their communication protocol. And this makes it's detection hard. And the communication is slightly encoded and the contents of the packet flow is not clear text in most cases. The binary work mainly on Linux systems. We don't know whether some variants for other platforms exist. 3. The threat it poses It's main function is to act as a DOS agent. I can create classic SYN flooding packets and massive DNS packets. With it's ability it can crash or lock up small 10MB network. But if it is distributed and master commands them simultaneously to attack some target, it can crash or lock up 100MB or bigger networks. 4. How to detect You can detect them by many routines. 1. In the network First, if your network is somewhat slow or Internet connection dies sometime. Check the network with tcpdump and find some massive traffic like SYN flooding or massive DNS packets. If you can find them, it can be the traffice generated by this agent. If the source of the massive traffic is located within the segment, you can spot them with the MAC address. And fundamentally you can detect this agent by watching the IP protocol 11 traffic with snort or tcpdump, or ethereal. But you must wait for much time before detect the command packet. But the variants can slightly change th protocol number and the detection is somewhat difficult for that. If they use TCP or UDP protocol number for their own proprietary protocol, the detection will be hard work. The watch for the network traffic and finding abnormal and unusal traffic is needed. 2. In the system Check your Linux systems and verify they are not root compromised. And use ps to locate "[mingetty]" process. Your system can have this process up by default. matter:~/tb/t2# ps ax|grep ming 13274 ? S 0:00 [mingetty] 13290 ttypf S 0:00 grep ming Use "lsof" command to verify that this process is not the-binary. lfof reveals the original process name. the-binar 13274 root cwd DIR 3,2 4096 2 / the-binar 13274 root rtd DIR 3,2 4096 2 / the-binar 13274 root txt REG 3,4 205108 912437 /mnt/archive/re/output/tb/t2/the-binary the-binar 13274 root 0u raw 18833170 00000000:000B->00000000:0000 st=07 By the last of line of "lsof" command, you can conclude that this program uses raw socket and must be some kind of hostile code. 5. Defend Against Block unused IP protocols on your routers and firewalls. And use IDS to detect the usage of the rarely used or never used protocols for backdoor usage. On Linux systems, make sure that all the security patches have been adapted. And make sure that no root compromise have been happend.