![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
Date: Tue, 17 Apr 2001 17:36:12 -0600
From: Alfred Huger <ah@SECURITYFOCUS.COM>
Subject: Carko Information
To: INCIDENTS@SECURITYFOCUS.COM
Hey folks,
An anonymous poster sent me the following information to be passed onto
the list. I think it's fairly important so please take a read.
Carko DDoS Agent Information
--------------------------------------------------------------------------------------------------------
An apparently new DDoS agent called "carko" has been discovered on
various systems. However, it appears to be an extremely close
relative, if not a carbon copy, of stacheldraht+antigl+yps.
I'm passing this on to various folks because people are asking about
carko, but the ones I've sent email to haven't publicized it as I'd
hoped.
This is the information that we have on carko.
1) We have obtained a carko executable. It was installed in
/usr/share/man/mansps/ddos/carko on a Solaris 2.7 box.
The MD5 checksum is 94b0d0171c111b81b483b7ab2dadd2bf
2) It appears to be a carbon copy of an updated stacheldraht tool
(stacheldraht + antigl + yps), dumped on packet storm in January
2001, and found at:
http://packetstorm.securify.com/distributed/stachelantigl.tar.gz
The Packet Storm comment says "Stacheldraht v1.666 + antigl + yps
distributed denial of service tool. By Psychoid and Randomizer."
This is based on a comparison of strings output and the procedure
call tree.
Some analysis is at:
http://www.nipc.gov/warnings/advisories/2000/00-055.htm
http://xforce.iss.net/alerts/advise61.php
3) It was installed after an attack on the snmpXdmid vulnerability
(CERT CA-2001-05). A back door was created on port 530 and
installed in the following directory:
/usr/share/man/mansps/ddos
A new /usr/sbin/inetd process was apparently called with a
configuration file of /tmp/.x, which was apparently deleted from
/tmp/.
4) The attackers appeared to rcp the "td" client program (as it's
called in stachelantigl above) from a remote site, then rename it
to carko on the victim host. This is conjecture based on IDS
extraction of the rcp command.
5) The victim was compromised via a coordinated attack involving:
- one IP address scanning for RPC portmapper
- another IP scanning for RPC services
- another IP performing the exploit and installing the back door
- another IP installing carko
6) The "trigger mechanism" or attack command *might* occur in spoofed
packets coming from the DDoS target, but we are not sure at this
time.
7) The Makefile for the client/td program from stachelantigl uses a
-O6 compiler level. This removes several of the function names that
would appear in carko. But, if you compile using -O3, you get the
same set of function names as carko.
8) We have not extensively analyzed the source code for stachelantigl,
but based on strings output and some disassembly, carko uses the
same default passwords for client-to-master communication and the
master server file (mservers), which may have been installed in
/usr/share/man/mansps/ddos/ and later deleted.
9) "Interesting" functions in carko/stachelantigl include
checkalive(), streamitniggah(), commence_havoc(), and various
others. However, the last two were not in the original
stacheldraht; some of the commence_* functions appear to be
"stripped" from carko as a result of the optimization.