Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Reverse Challenge: Winners Announced

Posted by timothy on from the snoitalutargnoc dept.

asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."

4 of 186 comments (clear)

  1. Forgive my naiveness but by jsse · · Score: 1, Redundant

    What is the use of protocol 11?

    Would it be harmful if I just block it off?

    How may I do the blocking with ipchains and iptables?

    Thanks

  2. Re:Forgive my naiveness but by SpatchMonkey · · Score: 2, Redundant

    Some links to it:

    RFC 741 - Specifications of Network Voice Protocol (from November 1977!)
    Protocol Number Assignments

  3. Re:Is it really NVP? by mamba-mamba · · Score: 1, Redundant


    It is some kind of old-fashioned NVP that really isn't used right now. Check this out:
    Detection
    =========

    Any network traffic using an unusual protocol should be suspect. This tool
    uses protocol 11, but could easily be recompiled to use another protocol.
    As protocol 11 is not currently used, any network traffic using this
    protocol should be assumed to be communication between handlers and agents
    of this tool. The signature for detecting agent / handler communication
    was described in the previous section.

    Note that the source address of a packet from handler -> agent should not
    be assumed to be the actual address of the handler. The source address in
    the IP header is most likely to be spoofed. Similarly, data from agent ->
    handler is often faked to increase the difficulty of tracing the attacker's
    whereabouts.

    To hide from casual detection, the agent changes its process name to
    [mingetty].
    This is the standard getty for RedHat, and Slackware versions pre 7.0.

    To detect a running agent on a system, netstat can be used to determine
    if any processes are using protocol 11. The following command and
    response shows a running agent process.

    # netstat -pan | grep raw | grep :11
    raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty]

    If found, all instances of mingetty should be killed (to ensure that
    children are caught as well). This will kill valid mingetty processes
    as well, but they will be respawned by the init process.

    # ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9

    The system should immediately be taken off the network and analysed to
    determine how the attacker gained root access.
    Have a nice day.

    MM
    --
    --
    By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
  4. DMCA violation by anthony_dipierro · · Score: 1, Redundant

    We all know that reverse engineering without the permission of the copyright holder is a violation of the DMCA, and doing so "willfully and for purposes of commercial advantage or private financial gain," such as to win a contest like this one is a criminal offense. Since it's a criminal offense, the victim (the copyright holder) doesn't even have to step up and admit that s/he's the copyright holder.

    Sounds like a good test case.