Analysis: the-binary back door and DOS tool

4 stars based on 69 reviews

The caputured binary is a backdoor program with the capability of launching denial of service analysis the-binary back door and dos tools. It is designed to run on Linux systems. The attacker needs root access to install the backdoor on a comprimised machine. Once the binary is installed, the attacker uses a special backdoor client program to establish a connection to the system and execute commands. An interesting feature of the backdoor program is its use as a distributed denial of service DDoS tool.

When the backdoor receives a command analysis the-binary back door and dos tools the attacker containing the victim's ip address or hostnameit starts a DoS attack against it. The DoS packet engine is very flexible and allows for many different kinds of attacks: With enought machines under the attacker's control, she can successfully impact major Internet sites, as evidenced by the events in Februrary When the binary is started, it detaches itself from the controlling tty and becomes a background process.

It overwrites its argv[0] with the string "[mingetty]", which is the default name of the login process on RedHat systems. Then it opens a raw socket and waits for command packets from the backdoor client. The communication channel between the backdoor and the client is rather ingenious. It is perhaps the most interesting part of this tool. The backdoor uses a unique approach to conceal the identity of the attacker who controls it. The client communicates with the backdoor via IP packets with the protocol field set to 0x0B 0x11which is an unassigned protocol number.

These IP packets are very similar to UDP datagrams, in that they don't offer reliability and retransmission but can be easily spoofed. All the packets sent from the client to the backdoor are spoofed, making it almost impossible to trace them back to their real source. The only way to track down the attacker is to trace the replies from the backdoor to the client. How does the backdoor know where to analysis the-binary back door and dos tools the replies to?

When the attacker wishes to communicate with the backdoor she analysis the-binary back door and dos tools an init command containing 10 IP addresses, encoded with a proprietary XOR-strength encryption algorithm.

The source of the packet with the init command can be spoofed because the backdoor only uses the IP addresses inside the packet payload. Upon receiving the init command, the backdoor stores the client IP addresses. All replies are sent to all 10 client IP addresses.

Only one of them needs to be the real IP address of the attacker. Looking at traffic generated by the backdoor it's impossible to the tell which address is the real one. If a system administrator or the authorities decide to go through the logs and track down the attacker, they will get 10 possible addresses, 9 of which are completely unrelated to the incident.

Many of the backdoor DDoS commands don't even send back replies and can be triggered with only one spoofed packet. There are 11 different commands that the backdoor can execute. Each of them has a number of parameters.

Here is a list of all commands and their descriptions:. The init command initializes the backdoor address list. If type is 0, only one IP address has to be specified in the ip parameter. All replies from the backdoor are sent to this IP address. If type is 1, the replies will be sent to this address and 9 other random addresses. If type is 2, the attacker specifies 10 IP addresses and the replies are sent to all of them. The status command causes the backdoor to send a reply packet with the type of the currently running DoS or shell process.

Only one such process can be started at a analysis the-binary back door and dos tools and it should be kill with the kill command when it is no longer needed. If no process is running, status return 0 idle. The kill command kills the currently running shell or DoS process.

The shell command in the cmd is executed by the backdoor. Its stdout and stderr are discarded. No reply is sent. Its stdin and stderr are captured and the output is sent to the client as reply packets.

The attacker can use telnet or analysis the-binary back door and dos tools to connect to this port. The first line sent to must match the backdoor password, otherwise the connection is terminated. The password in the binary captured by the honeynet project is "SeNiF". To kill the shell process, use the kill command.

Launches a UDP flood attack. The backdoor forks a new process which sends the packets. To stop the attack, use the kill command to kill this process the same analysis the-binary back door and dos tools to all DoS attacks available in the backdoor. The victim can be specified with the dst or hostname parameters. If a hostname is used it is resolved again after every packets have been sent, in case the dns record of the victim has changed.

The source of the packets can be spoofed with the src parameter. A variation of this attack is the ICMP smurf attack.

If the attacker sends spoofed ICMP echo requests to the broadcast address of a vulnerable network, all hosts on the network will send their responses to the victim. The entire network will act as a traffic amplifier for the attack. This kind of attack was first reported by Edward Henigin in It is possible to use the backdoor a tool for a ICMP smurf attack, but we'll have to use the IP address of the victim, because the author of the backdoor did not include support for resolving the source IP address of the packet.

Launches a SYN flood attack. A good description of the SYN flood atack is the Phrack 48 article by route. The victim is specified with the dst or the hostname parameters. The source ip address can be specified with src or left empty, in which case a random address is generated for each packet. It should be an open TCP port on the victim's system. If the parameter is not specified, the process sleeps after each packet. Launches a DNS queries flood atack. Sends DNS queries for top-level domains.

Useful for bringing DNS servers down. The victim is specified with the dst or hostname parameters. The source ip address of analysis the-binary back door and dos tools queries can be given in src or a random address will be generated for each packet. Launches a DNS smurf attack using publicly accessible nameservers as traffic amplifiers.

The backdoor binary contains a hardcoded list of more than DNS servers. The backdoor forks a process which continuously sends DNS requests for top-level domains. The address is resolved again after packets are sent, in case the dns record of the victim has been changed.

All DNS servers will send their replies to the victim's ip address, causing a denial of service. If it is not specified, the process sleeps after each packet.

All the packets between the client and the backdoor are sent as IP packets with protocol number 0x0B. They have the following format: Packets that contain commands from the client to the backdoor have a packet type of 2. After decoding the packet data, the backdoor looks at the byte at offset 23 in the IP packet. It contains a number, identifying the backdoor command. Each command has a variable number of parameters which are stored at offset Packets sent from the backdoor to the client have a packet type of 3.

The reply type is stored at offset The replies to the status command have a reply type of 1. If the byte at offset 25 is 0 then the backdoor does not have a shell or DoS process running. Otherwise the byte at offset 26 contains the command id of the command that forked the child process.

It is sent as a null terminated string, starting at offset A decoder for the backdoor communication protocol is available: It uses libpcap and can sniff traffic in realtime or read tcpdump files.

Running it on snort. There are two approaches an attacker can take to hide her traffic. She can try to mimic existing traffic as closely as possible, or she can try to make her packets stand analysis the-binary back door and dos tools so much that nobody notices.

Both approaches have advantages and disadvantages. The author of the this backdoor used an unused IP protocol number, relying on the fact that most firewalls and IDSes have an "accept by default" policy.

Snort rule to detect traffic with an unknown IP protocol: Of course this doesn't help much, since there are lots of other ways to sneak traffic past a firewall or an IDS. The author of the binary has tried to make it harder to analyze it by compiling it statically. This makes it impossible to tell which library functions are used with simple tools like objdump -t, but it doesn't stop more advanced tools like IDA and Fenris.

For more information on using IDA see the analysis section.

Is binary brain trust a scam system

  • Broker trader 4 0e

    Futures trading basics pdf

  • Managed account binareoptionen

    Learn how to compare binary option brokers

Islamic binary options trading demo account without deposit

  • Demonstration top option binary trading strategies

    Option math for trading ebooks

  • Shop der clp trading binary options

    Ootb forex

  • The best binary options automated software

    0-24 customer support binary options robot

Binary options signal trading strategies that work

11 comments Trading capital binary options with no deposit bonus 2014

How to trade commodity market in india

The objective of malware analysis is to gain an understanding of how specific pieces of malware work. There are important questions that must be answered.

Like, how did this machine become infected and what exactly does this malware do? There are different kinds of people and organization that do malware analysis. All of them fall under these categories:. As per information security training experts, to do analysis of malware you have to follow these steps:.

Set up a controlled machine, which is not connected to your network, also you should be able to restore the machine anytime. For environment setup you need to download the malware file first, and then you need to change its extension.

As per suggestions of ethical hacking training experts, after changing the file you can copy the file in write protected disc as this can help you isolate malware in some cases. Retrieve surface information from targets without execution. Motive of surface analysis is to get.

In this step you can execute malware and monitor its behavior. You can use various automated or manual analysis methods.

You can use monitoring tools on sandbox system for analysis. In static analysis you read the code in binary file and understand its functionality. You will need OS knowledge, assembly basics, efficient reading techniques and anti-analysis techniques. If the binary code is packed you will have to unpack it. You can also check for arguments and brunch on condition. While you use a Disassembler, you can read, rename and comment instructions to understand the code.

You can learn more about Disassembler in ethical hacking training course. Encoding Obfuscation in Malware. Strings are encoded like File name, Registry entry name, Server address stored in the binary and also HTTP data packets can be encoded using various methods.

Some of the encoding methods are. Anti Runtime Malware Analysis. Some types of malware are clever enough to detect analysis activity thus have a logic to avoid analysis by malware analysts explains information security solutions expert Bill Smith.

Some of the techniques used to detect malware analysis are:. To check for debuggers the malware checks for Breakpoints, Exception handling. The malware sometimes also check for Computer name, Disk size, Cursor position to avoid malware analysis and after detecting that the malware analysis is being done the malware does something else or does nothing.

We will cover more in-depth details over malware analysis in next article with the help of Mike Stevens, ethical hacking training professor. Hackers Take Control Ove Windows Server Events Sh All of them fall under these categories: Following are the reasons behind malware analysis. To have an incident response procedure. For doing product development and product improvement like antivirus.

For creating signatures for protection against malware. To create countermeasure solutions. To do analysis and resolution of vulnerability. To track and catch the criminals who create malware. Malware Analysis Methods As per information security training experts, to do analysis of malware you have to follow these steps: Environment Setup Set up a controlled machine, which is not connected to your network, also you should be able to restore the machine anytime.

Malware collection For environment setup you need to download the malware file first, and then you need to change its extension. Surface analysis Retrieve surface information from targets without execution. Motive of surface analysis is to get Hash value File type Strings Anti-virus software results 4.

Runtime analysis In this step you can execute malware and monitor its behavior. Static Analysis In static analysis you read the code in binary file and understand its functionality. Following tools can be used for static analysis: Visual Basic binary to Visual Basic source code.

World famous x86 debugger Immunity Debugger: Python familiar x86 debugger. Encoding Obfuscation in Malware Sometimes the programmer will encode the code to make it difficult for you to do analysis. Anti Runtime Malware Analysis Some types of malware are clever enough to detect analysis activity thus have a logic to avoid analysis by malware analysts explains information security solutions expert Bill Smith.

Some of the techniques used to detect malware analysis are: Malware Analysis , malware reverse engineering. Related Posts Nuclear plants leak critical alerts in unencrypted pager messages No Comments Oct 26, No Comments Sep 2, No Comments Apr 26, No Comments Oct 21,