[ISN] Carko Information

From: InfoSec News (isnat_private)
Date: Tue Apr 17 2001 - 23:36:33 PDT

  • Next message: InfoSec News: "[ISN] Carko/snmpXdmid Analysis v1.0"

    ---------- Forwarded message ----------
    Date: Tue, 17 Apr 2001 17:36:12 -0600
    From: Alfred Huger <ahat_private>
    To: INCIDENTSat_private
    Subject: Carko Information
    Hey folks,
    An anonymous poster sent me the following information to be passed onto
    the list. I think it's fairly important so please take a read.
    Carko DDoS Agent Information
    An apparently new DDoS agent called "carko" has been discovered on
    various systems.  However, it appears to be an extremely close
    relative, if not a carbon copy, of stacheldraht+antigl+yps.
    I'm passing this on to various folks because people are asking about
    carko, but the ones I've sent email to haven't publicized it as I'd
    This is the information that we have on carko.
    1) We have obtained a carko executable.  It was installed in
       /usr/share/man/mansps/ddos/carko on a Solaris 2.7 box.
       The MD5 checksum is 94b0d0171c111b81b483b7ab2dadd2bf
    2) It appears to be a carbon copy of an updated stacheldraht tool
       (stacheldraht + antigl + yps), dumped on packet storm in January
       2001, and found at:
       The Packet Storm comment says "Stacheldraht v1.666 + antigl + yps
       distributed denial of service tool. By Psychoid and Randomizer."
       This is based on a comparison of strings output and the procedure
       call tree.
       Some analysis is at:
    3) It was installed after an attack on the snmpXdmid vulnerability
       (CERT CA-2001-05).  A back door was created on port 530 and
       installed in the following directory:
       A new /usr/sbin/inetd process was apparently called with a
       configuration file of /tmp/.x, which was apparently deleted from
    4) The attackers appeared to rcp the "td" client program (as it's
       called in stachelantigl above) from a remote site, then rename it
       to carko on the victim host.  This is conjecture based on IDS
       extraction of the rcp command.
    5) The victim was compromised via a coordinated attack involving:
       - one IP address scanning for RPC portmapper
       - another IP scanning for RPC services
       - another IP performing the exploit and installing the back door
       - another IP installing carko
    6) The "trigger mechanism" or attack command *might* occur in spoofed
       packets coming from the DDoS target, but we are not sure at this
    7) The Makefile for the client/td program from stachelantigl uses a
       -O6 compiler level.  This removes several of the function names that
       would appear in carko.  But, if you compile using -O3, you get the
       same set of function names as carko.
    8) We have not extensively analyzed the source code for stachelantigl,
       but based on strings output and some disassembly, carko uses the
       same default passwords for client-to-master communication and the
       master server file (mservers), which may have been installed in
       /usr/share/man/mansps/ddos/ and later deleted.
    9) "Interesting" functions in carko/stachelantigl include
       checkalive(), streamitniggah(), commence_havoc(), and various
       others.  However, the last two were not in the original
       stacheldraht; some of the commence_* functions appear to be
       "stripped" from carko as a result of the optimization.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 23:41:15 PDT