Date: Tue, 2 May 2000 12:18:39 -0400 (EDT) From: X-Force To: alert@iss.net Subject: ISSalert: Internet Security Systems Security Alert: "mstream" Distributed Denial of Service Tool Internet Security Systems Security Alert May 1, 2000 "mstream" Distributed Denial of Service Tool Synopsis: A new Distributed Denial of Service tool, mstream, has been discovered at the University of Washington. It has also been seen on networks at Penn State and Indiana University. A Distributed Denial of Service attack is designed to bring a network down by flooding target machines with large amounts of traffic. The source code for a version of the program was recently posted anonymously to the BugTraq and VULN-DEV e-mail lists hosted by SecurityFocus. This tool includes a "master controller" and a "zombie." The master controller is the portion of the tool that controls all of the zombie agents. An attacker connects to the master controller using telnet to control the zombies. The attack the zombie performs is a modification of the "stream.c" attack. Most of the source code in the zombie that is used to flood the target computers originated from stream.c. The zombie sends TCP ACK packets to the target hosts using random ports. This denial of service attack usually does not have much effect coming from a single machine. However, the effects of the attack are intensified in the new distributed format used by mstream. A full explanation of this attack can be found at http://packetstorm.securify.com/DoS/stream-dos.txt. There have been two versions of mstream made public: one that was found "in the wild", and another that was posted to security mailing lists. They are functionally the same, but they have different passwords and use different port numbers for communication. Impact: This Distributed Denial of Service (DDoS) tool poses the same dangers as earlier tools including Trin00 and Tribe Flood Network. The stream.c attack slows a machine down by using up CPU cycles. The attack also consumes network bandwidth. In addition to the incoming ACK packets, the target host will consume bandwidth when it tries to send TCP RST packets to non-existent IP addresses. Routers will then return ICMP host/network unreachable packets to the victim, resulting in more bandwidth starvation. The distributed method of attack multiplies the effect on the CPU, as well as consuming large amounts of network bandwidth. Description: The mstream architecture is a standard 3-tier design used by most Distributed Denial of Service tools. The client is the machine that an attacker uses to launch the attack. The client launches the attack through a connection to the master. A master, in the file master.c, controls all of the zombies. The zombies, in the file server.c, perform the "stream.c" denial of service attack on the victim. Each master can control any number of zombies, and each zombie can have any number of masters controlling it. The mstream tool uses no encryption to hide its activities on the network. There have been 3 different versions found of this tool found, using different ports. The master source code found in the wild listens on TCP port 12754 for client requests. To connect, a client must send the password, which is "N7%diApf!". In the version that was posted to BugTraq and VULN-DEV, the TCP port is 6723, and the password is "sex". Another binary found in the wild listens on port 15104 for client connections. After sending the password, an attacker gets a prompt of "> ". Typing "help" displays the following information: Available commands: stream -- stream attack ! servers -- Prints all known servers. ping -- ping all servers. who -- tells you the ips of the people logged in mstream -- lets you stream more than one ip at a time The master controller also listens on a UDP port for registrations from zombies. This port is 6838 in the version found at the universities and 9325 in the version posted to security mailing lists. A zombie can send two different packets, one is "pong", which is a response from a ping request. The other is "newserver", which adds that IP address to the list of servers in the file "..." (wild version) or ".sr" (mailing list version) in the directory in which the master controller is running. The IP addresses are encoded by adding 50 to the ASCII value of each character in the IP address, so "208.21.2.18" becomes "dbj`dc`d`cj<". The "<" is a newline character (ASCII 10) plus 50. Zombies listen on UDP port 10498 (wild version) or 7983 (mailing list version) for commands from the master controller. The 3 commands that can be sent to the zombies are "ping", "stream", and "mstream". The ping request receives a "pong" from the server. The pong goes to UDP port 6838 (wild version) or 9325 (mailing list version). In the wild version of mstream, the "stream" command is not used, it just sends "mstream" commands. The "mstream" command on the network looks similar to the following: mstream/x.x.x.x:x.x.x.x:...../y In the above command, x.x.x.x represents IP address(es) to attack, and y is the time to attack (in seconds). The "stream" command is of a similar format, but allows only one IP address to be sent. It looks like this: stream/x.x.x.x/y Recommendations: To locate the mstream master or zombie on a system, use the following command for each filesystem on the machine: find / -mount -type f -print | xargs grep -l newserver Replace / with whichever file system you want to search. This may find files that are not part of mstream, such as /usr/bin/xchat, but you can verify each file found by using the strings command on it. The strings output of the zombie, from server.c, will contain this text: Must be ran as root. socket bind setsockopt newserver stream mstream ping pong fork Forked into background, pid %d Running strings on the master will find this text: Connection from %s newserver New server on %s. pong Got pong number %d from %s %s has disconnected (not auth'd): %s Invalid password from %s. Password accepted for connection from %s. Lost connection to %s: %s If you know which port the master controller is listening on, you can use lsof. Use this command to locate the master: "lsof -i TCP:port." The result will be similar to the following: [root@berry]# lsof -i TCP:12754 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mstream 3664 juser 3u IPv4 721759 TCP *:12754 (LISTEN) This will locate the process that is listening on TCP port 12754. To find the path to the executable, use the command "lsof -c -a -d txt": [root@berry]# lsof -c mstream -a -d txt COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mstream 3664 juser txt REG 8,1 33185 306211 /home/juser/mstream To kill the process, delete the master controller executable, check the "..." or ".sr" file, and decode the IP addresses of all of the zombies. The following shell command will decrypt the file: [root@berry]# cat ... | tr 'b-k`' '0-9.' | sed 's/<$//' 208.21.2.18 ISS' SAFEsuite intrusion detection system, RealSecure 5.0, will include new attack signatures to detect all levels of communications between the mstream DDoS components. ISS' SAFEsuite network security assessment product, Internet Scanner, will have checks available to detect mstream DDoS master and zombie in the next X-Press Update. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This tool was researched by the ISS X-Force. The X-Force would like to thank Dave Dittrich at the University of Washington and Andrew Korty at Indiana University for their initial information on mstream. X-Force would also like to thank Tim Yardley for his analysis of the stream.c attack that was posted to BugTraq in January 2000. _______ About ISS ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services, and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc.