From owner-alert@iss.net Tue May  2 10:39:47 2000
Return-Path: <owner-alert@iss.net>
Received: from phoenix.iss.net([208.21.0.13]) (11162 bytes) by packetstorm.securify.com
  via smail with P:esmtp/D:user/T:local
  (sender: <owner-alert@iss.net>) 
  id <m12mgeB-00001ob@packetstorm.securify.com>
  for <packet@packetstorm.securify.com>; Tue, 2 May 2000 10:39:47 -0700 (PDT)
  (Smail-3.2.0.111 2000-Feb-17 #9 built 2000-Apr-13)
Received: by phoenix.iss.net (Postfix)
  id EA21416002; Tue,  2 May 2000 11:26:44 -0400 (EDT)
Delivered-To: alert-out-link@iss.net
Received: by phoenix.iss.net (Postfix, from userid 15)
  id C0E4016008; Tue,  2 May 2000 11:26:44 -0400 (EDT)
Date: Tue, 2 May 2000 12:18:39 -0400 (EDT)
From: X-Force <xforce@iss.net>
To: alert@iss.net
Subject: ISSalert: Internet Security Systems Security Alert: "mstream" Distributed Denial of Service Tool
Message-ID: <Pine.LNX.3.95.1000502121830.18148A-100000@arden.iss.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-alert@iss.net
Precedence: bulk
Reply-To: X-Force <xforce@iss.net>
X-Loop: alert
Status: RO
Content-Length: 10341
Lines: 238


TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
May 1, 2000

"mstream" Distributed Denial of Service Tool

Synopsis:

A new Distributed Denial of Service tool, mstream, has been discovered at
the University of Washington. It has also been seen on networks at Penn
State and Indiana University. A Distributed Denial of Service attack is
designed to bring a network down by flooding target machines with large
amounts of traffic. The source code for a version of the program was
recently posted anonymously to the BugTraq and VULN-DEV 
e-mail lists hosted by SecurityFocus. This tool includes a "master
controller" and a "zombie." The master controller is the portion of the tool
that controls all of the zombie agents. An attacker connects to the master
controller using telnet to control the zombies. 

The attack the zombie performs is a modification of the "stream.c" attack.
Most of the source code in the zombie that is used to flood the target
computers originated from stream.c. The zombie sends TCP ACK packets to the
target hosts using random ports. This denial of service attack usually does
not have much effect coming from a single machine. However, the effects of
the attack are intensified in the new distributed format used by mstream. A
full explanation of this attack can be found at
http://packetstorm.securify.com/DoS/stream-dos.txt.

There have been two versions of mstream made public: one that was found "in
the wild", and another that was posted to security mailing lists. They are
functionally the same, but they have different passwords and use different
port numbers for communication.

Impact:

This Distributed Denial of Service (DDoS) tool poses the same dangers as
earlier tools including Trin00 and Tribe Flood Network. The stream.c attack
slows a machine down by using up CPU cycles. The attack also consumes
network bandwidth. In addition to the incoming ACK packets, the target host
will consume bandwidth when it tries to send TCP RST packets to non-existent
IP addresses. Routers will then return ICMP host/network unreachable packets
to the victim, resulting in more bandwidth starvation. The distributed
method of attack multiplies the effect on the CPU, as well as consuming
large amounts of network bandwidth. 

Description:

The mstream architecture is a standard 3-tier design used by most
Distributed Denial of Service tools. The client is the machine that an
attacker uses to launch the attack. The client launches the attack through a
connection to the master. A master, in the file master.c, controls all of
the zombies. The zombies, in the file server.c, perform the "stream.c"
denial of service attack on the victim. Each master can control any number
of zombies, and each zombie can have any number of masters controlling it.
The mstream tool uses no encryption to hide its activities on the network.
There have been 3 different versions found of this tool found, using
different ports. The master source code found in the wild listens on TCP
port 12754 for client requests. To connect, a client must send the password,
which is "N7%diApf!". In the version that was posted to BugTraq and
VULN-DEV, the TCP port is 6723, and the password is "sex". Another binary
found in the wild listens on port 15104 for client connections. After
sending the password, an attacker gets a prompt of "> ". Typing "help"
displays the following information:

Available commands: 
stream          --      stream attack !
servers         --      Prints all known servers.
ping            --      ping all servers.
who             --      tells you the ips of the people logged in
mstream         --      lets you stream more than one ip at a time

The master controller also listens on a UDP port for registrations from
zombies. This port is 6838 in the version found at the universities and 9325
in the version posted to security mailing lists.  A zombie can send two
different packets, one is "pong", which is a response from a ping request.
The other is "newserver", which adds that IP address to the list of servers
in the file "..." (wild version) or ".sr" (mailing list version) in the
directory in which the master controller is running. The IP addresses are
encoded by adding 50 to the ASCII value of each character in the IP address,
so "208.21.2.18" becomes       "dbj`dc`d`cj<". The "<" is a newline
character (ASCII 10) plus 50. 

Zombies listen on UDP port 10498 (wild version) or 7983 (mailing list
version) for commands from the master controller. The 3 commands that can be
sent to the zombies are "ping", "stream", and "mstream". The ping request
receives a "pong" from the server. The pong goes to UDP port 6838 (wild
version) or 9325 (mailing list version). In the wild version of mstream, the
"stream" command is not used, it just sends "mstream" commands. The
"mstream" command on the network looks similar to the following:

mstream/x.x.x.x:x.x.x.x:...../y

In the above command, x.x.x.x represents IP address(es) to attack, and y is
the time to attack (in seconds). The "stream" command is of a similar
format, but allows only one IP address to be sent. It looks like this:

stream/x.x.x.x/y


Recommendations:

To locate the mstream master or zombie on a system, use the following
command for each filesystem on the machine:

find / -mount -type f -print | xargs grep -l newserver

Replace / with whichever file system you want to search. This may find files
that are not part of mstream, such as /usr/bin/xchat, but you can verify
each file found by using the strings command on it. The strings output of
the zombie, from server.c, will contain this text:

Must be ran as root.
socket
bind
setsockopt
newserver
stream
mstream
ping
pong
fork
Forked into background, pid %d

Running strings on the master will find this text:

Connection from %s
newserver
New server on %s.
pong
Got pong number %d from %s
%s has disconnected (not auth'd): %s
Invalid password from %s.
Password accepted for connection from %s.
Lost connection to %s: %s

If you know which port the master controller is listening on, you can use
lsof. Use this command to locate the master: "lsof -i TCP:port." The result
will be similar to the following:

[root@berry]# lsof -i TCP:12754
COMMAND  PID     USER   FD   TYPE DEVICE SIZE NODE NAME
mstream  3664    juser  3u   IPv4 721759       TCP *:12754 (LISTEN)

This will locate the process that is listening on TCP port 12754. To find
the path to the executable, use the command "lsof -c <command> -a -d txt":

[root@berry]# lsof -c mstream -a -d txt
COMMAND  PID     USER  FD   TYPE DEVICE  SIZE   NODE NAME
mstream  3664    juser txt   REG    8,1  33185 306211 
/home/juser/mstream

To kill the process, delete the master controller executable, check the
"..." or ".sr" file, and decode the IP addresses of all of the zombies. The
following shell command will decrypt the file:

[root@berry]# cat ... | tr 'b-k`' '0-9.' | sed 's/<$//'
208.21.2.18

ISS' SAFEsuite intrusion detection system, RealSecure 5.0, will include new
attack signatures to detect all levels of communications between the mstream
DDoS components. ISS' SAFEsuite network security assessment product,
Internet Scanner, will have checks available to detect mstream DDoS master
and zombie in the next X-Press Update.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.

Credits:

This tool was researched by the ISS X-Force. The X-Force would like to thank
Dave Dittrich at the University of Washington and Andrew Korty at Indiana
University for their initial information on mstream. X-Force  would also
like to thank Tim Yardley for his analysis of the stream.c attack that was
posted to BugTraq in January 2000.

_______

About ISS

ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services, and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call 888-901-7477.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net of
Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOQ7+pjRfJiV99eG9AQFvpgP6AlQFKZyXSuvTfPkaeF/5DBJYtm2WWuv+
yeETIWVWm7W3q061nJ0F7QkqouuVqK16glI/NeNtVdGSGukyGvCSKgmC3GQmRuoj
SfTlBVFF+lfhcsW/DmXKvur4+vSJ8pzP3vzDXFa8W0OBELHYyw7bn2kT0HcZZz7K
O6zKboTVA/g=
=I0QQ
-----END PGP SIGNATURE-----