---------- Forwarded message ---------- Date: Tue, 17 Apr 2001 17:36:12 -0600 From: Alfred Huger <ahat_private> To: INCIDENTSat_private Subject: Carko Information Hey folks, An anonymous poster sent me the following information to be passed onto the list. I think it's fairly important so please take a read. Carko DDoS Agent Information ---------------------------------------------------------------------------------------- An apparently new DDoS agent called "carko" has been discovered on various systems. However, it appears to be an extremely close relative, if not a carbon copy, of stacheldraht+antigl+yps. I'm passing this on to various folks because people are asking about carko, but the ones I've sent email to haven't publicized it as I'd hoped. This is the information that we have on carko. 1) We have obtained a carko executable. It was installed in /usr/share/man/mansps/ddos/carko on a Solaris 2.7 box. The MD5 checksum is 94b0d0171c111b81b483b7ab2dadd2bf 2) It appears to be a carbon copy of an updated stacheldraht tool (stacheldraht + antigl + yps), dumped on packet storm in January 2001, and found at: http://packetstorm.securify.com/distributed/stachelantigl.tar.gz The Packet Storm comment says "Stacheldraht v1.666 + antigl + yps distributed denial of service tool. By Psychoid and Randomizer." This is based on a comparison of strings output and the procedure call tree. Some analysis is at: http://www.nipc.gov/warnings/advisories/2000/00-055.htm http://xforce.iss.net/alerts/advise61.php 3) It was installed after an attack on the snmpXdmid vulnerability (CERT CA-2001-05). A back door was created on port 530 and installed in the following directory: /usr/share/man/mansps/ddos A new /usr/sbin/inetd process was apparently called with a configuration file of /tmp/.x, which was apparently deleted from /tmp/. 4) The attackers appeared to rcp the "td" client program (as it's called in stachelantigl above) from a remote site, then rename it to carko on the victim host. This is conjecture based on IDS extraction of the rcp command. 5) The victim was compromised via a coordinated attack involving: - one IP address scanning for RPC portmapper - another IP scanning for RPC services - another IP performing the exploit and installing the back door - another IP installing carko 6) The "trigger mechanism" or attack command *might* occur in spoofed packets coming from the DDoS target, but we are not sure at this time. 7) The Makefile for the client/td program from stachelantigl uses a -O6 compiler level. This removes several of the function names that would appear in carko. But, if you compile using -O3, you get the same set of function names as carko. 8) We have not extensively analyzed the source code for stachelantigl, but based on strings output and some disassembly, carko uses the same default passwords for client-to-master communication and the master server file (mservers), which may have been installed in /usr/share/man/mansps/ddos/ and later deleted. 9) "Interesting" functions in carko/stachelantigl include checkalive(), streamitniggah(), commence_havoc(), and various others. However, the last two were not in the original stacheldraht; some of the commence_* functions appear to be "stripped" from carko as a result of the optimization. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERVat_private with a message body of "SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 23:41:15 PDT