-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN "mstream" Distributed Denial of Service Tool May 3, 2000 13:00 GMT Number K-037 ______________________________________________________________________________ PROBLEM: A new Distributed Denial of Service tool named "mstream" has been discovered. PLATFORM: All systems that communicate using TCP can be attacked by this tool. The tool runs on most UNIX systems. DAMAGE: Attacked systems are slowed and network bandwidth is used up. Attacking systems are also slowed. SOLUTION: Follow the instructions below to discover and remove certain versions of mstream. To detect mstream packets, watch the packet stream for the ports and text as indicated in the section "Detection of Mstream Packets" following the Internet Security Systems advisory. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The mstream code has been made available in ASSESSMENT: public forums, but good security practices can make it difficult for an intruder to install the code on a well-protected machine. ______________________________________________________________________________ [ Start Internet Security Systems Advisory ] Internet Security Systems Security Alert May 1, 2000 "mstream" Distributed Denial of Service Tool Synopsis: A new Distributed Denial of Service tool, mstream, has been discovered at the University of Washington. It has also been seen on networks at Penn State and Indiana University. A Distributed Denial of Service attack is designed to bring a network down by flooding target machines with large amounts of traffic. The source code for a version of the program was recently posted anonymously to the BugTraq and VULN-DEV e-mail lists hosted by SecurityFocus. This tool includes a "master controller" and a "zombie." The master controller is the portion of the tool that controls all of the zombie agents. An attacker connects to the master controller using telnet to control the zombies. The attack the zombie performs is a modification of the "stream.c" attack. Most of the source code in the zombie that is used to flood the target computers originated from stream.c. The zombie sends TCP ACK packets to the target hosts using random ports. This denial of service attack usually does not have much effect coming from a single machine. However, the effects of the attack are intensified in the new distributed format used by mstream. A full explanation of this attack can be found at http://packetstorm.securify.com/DoS/stream-dos.txt. There have been two versions of mstream made public: one that was found "in the wild", and another that was posted to security mailing lists. They are functionally the same, but they have different passwords and use different port numbers for communication. Impact: This Distributed Denial of Service (DDoS) tool poses the same dangers as earlier tools including Trin00 and Tribe Flood Network. The stream.c attack slows a machine down by using up CPU cycles. The attack also consumes network bandwidth. In addition to the incoming ACK packets, the target host will consume bandwidth when it tries to send TCP RST packets to non-existent IP addresses. Routers will then return ICMP host/network unreachable packets to the victim, resulting in more bandwidth starvation. The distributed method of attack multiplies the effect on the CPU, as well as consuming large amounts of network bandwidth. Description: The mstream architecture is a standard 3-tier design used by most Distributed Denial of Service tools. The client is the machine that an attacker uses to launch the attack. The client launches the attack through a connection to the master. A master, in the file master.c, controls all of the zombies. The zombies, in the file server.c, perform the "stream.c" denial of service attack on the victim. Each master can control any number of zombies, and each zombie can have any number of masters controlling it. The mstream tool uses no encryption to hide its activities on the network. There have been 3 different versions found of this tool found, using different ports. The master source code found in the wild listens on TCP port 12754 for client requests. To connect, a client must send the password, which is "N7%diApf!". In the version that was posted to BugTraq and VULN-DEV, the TCP port is 6723, and the password is "sex". Another binary found in the wild listens on port 15104 for client connections. After sending the password, an attacker gets a prompt of "> ". Typing "help" displays the following information: Available commands: stream -- stream attack ! servers -- Prints all known servers. ping -- ping all servers. who -- tells you the ips of the people logged in mstream -- lets you stream more than one ip at a time The master controller also listens on a UDP port for registrations from zombies. This port is 6838 in the version found at the universities and 9325 in the version posted to security mailing lists. A zombie can send two different packets, one is "pong", which is a response from a ping request. The other is "newserver", which adds that IP address to the list of servers in the file "..." (wild version) or ".sr" (mailing list version) in the directory in which the master controller is running. The IP addresses are encoded by adding 50 to the ASCII value of each character in the IP address, so "208.21.2.18" becomes "dbj`dc`d`cj<". The "<" is a newline character (ASCII 10) plus 50. Zombies listen on UDP port 10498 (wild version) or 7983 (mailing list version) for commands from the master controller. The 3 commands that can be sent to the zombies are "ping", "stream", and "mstream". The ping request receives a "pong" from the server. The pong goes to UDP port 6838 (wild version) or 9325 (mailing list version). In the wild version of mstream, the "stream" command is not used, it just sends "mstream" commands. The "mstream" command on the network looks similar to the following: mstream/x.x.x.x:x.x.x.x:...../y In the above command, x.x.x.x represents IP address(es) to attack, and y is the time to attack (in seconds). The "stream" command is of a similar format, but allows only one IP address to be sent. It looks like this: stream/x.x.x.x/y Recommendations: To locate the mstream master or zombie on a system, use the following command for each filesystem on the machine: find / -mount -type f -print | xargs grep -l newserver Replace / with whichever file system you want to search. This may find files that are not part of mstream, such as /usr/bin/xchat, but you can verify each file found by using the strings command on it. The strings output of the zombie, from server.c, will contain this text: Must be ran as root. socket bind setsockopt newserver stream mstream ping pong fork Forked into background, pid %d Running strings on the master will find this text: Connection from %s newserver New server on %s. pong Got pong number %d from %s %s has disconnected (not auth'd): %s Invalid password from %s. Password accepted for connection from %s. Lost connection to %s: %s If you know which port the master controller is listening on, you can use lsof. Use this command to locate the master: "lsof -i TCP:port." The result will be similar to the following: [root@berry]# lsof -i TCP:12754 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mstream 3664 juser 3u IPv4 721759 TCP *:12754 (LISTEN) This will locate the process that is listening on TCP port 12754. To find the path to the executable, use the command "lsof -c -a -d txt": [root@berry]# lsof -c mstream -a -d txt COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mstream 3664 juser txt REG 8,1 33185 306211 /home/juser/mstream To kill the process, delete the master controller executable, check the "..." or ".sr" file, and decode the IP addresses of all of the zombies. The following shell command will decrypt the file: [root@berry]# cat ... | tr 'b-k`' '0-9.' | sed 's/<$//' 208.21.2.18 ISS' SAFEsuite intrusion detection system, RealSecure 5.0, will include new attack signatures to detect all levels of communications between the mstream DDoS components. ISS' SAFEsuite network security assessment product, Internet Scanner, will have checks available to detect mstream DDoS master and zombie in the next X-Press Update. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This tool was researched by the ISS X-Force. The X-Force would like to thank Dave Dittrich at the University of Washington and Andrew Korty at Indiana University for their initial information on mstream. X-Force would also like to thank Tim Yardley for his analysis of the stream.c attack that was posted to BugTraq in January 2000. _______ About ISS ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services, and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. [ End Internet Security Systems Advisory ] Detection of Mstream Packets ============================ The following information will help users with the ability to sniff data traffic to detect mstream traffic. Thanks to Elliot Turner for these detection strings. Note that the detection strings in this list are only valid for the current version of mstream. Newer versions may change these strings. Destination Ports: Attacker to handler (master controller) communications: tcp 6723, tcp 15104, tcp 12754 Agent (Zombie) to handler (master controller) communications: udp 9325, udp 6838 Handler (master controller) to agent (Zombie) communications: udp7983, udp 10498 Attacker to handler communications. Watch for the commands sent to the handler. The first line sent to the handler contains the password. Strings to watch for: "who" "help" "quit" "ping" "stream" "mstream" "servers" Handler to attacker communications. If you find the Streaming or MStreaming commands, you can get the list of attacked IP addresses and the duration of the attack from those lines. Strings to watch for: "Streaming " " for " " seconds." "has discon" "MStreaming " " for " " seconds." "New server on " "Connection from " "Currently Online:" "Available commands:" "Pinging all servers." "Lost connection to " "Invalid password from " "The following ips are known" "Password accepted for connection from " Agent to handler communications. Strings to watch for: "newserver" "pong" Handler to agent communications. If you find the stream/ or mstream/ commands, you can get the list of attacked IP addresses and the duration of the attack from those lines. Strings to watch for: "ping" "stream/""/" "mstream/""/" ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Internet Security Systems and Elliot Turner the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-027: Microsoft SQL Server and MSDE Malicious Query Vulnerability K-028: FreeBSD Port Exploits for mh/nmh, Lynx, and mtr K-029: Microsoft "Registry Permissions" Vulnerability K-030: SGI - Vulnerability in the objectserver daemon K-031: Mobile Malicious Code K-032: DDoS Mediation Action List K-033: Microsoft "Myriad Escaped Characters" Vulnerability K-034: Cisco Catalyst Enable Password Bypass Vulnerability K-035: Backdoor Password in Red Hat Linux Virtual Server Package K-036: Continuing Compromises of DNS Servers -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBORFtlbnzJzdsy3QZAQEC4AP/TRIxhUJwQcZqZolKgQdpzbi0M86HbV3l LBOZ1wcA+8dc57KRFG2SgBEnGLTJSnRsWgMm055tEugWsPOEZcxHUsTFp0F862ww iF0ErC7j4lA+lKGIjoFjW61ZhxUV7j/qLm5b7dybg3/kI9UQCVae8HSxh2Yl6V/e kmXkbh+2zVg= =gZh3 -----END PGP SIGNATURE-----