The Art of Stealthiness: Freenode IRC Port Knocking Backdoor
Author: Dragos Comaneci.
Port knocking , as a concept, has been around for quite some time now, but it was rarely seen in rootkits used by attackers to provide a backdoor to compromised systems. Attackers likely didn’t bother to implement the feature because it was relatively simple to create the backdoors using simple networking techniques. Now, with the advent of complex security devices protecting the network, that has changed and attackers are beginning to become stealthy with regards to their communication over the network with the compromised systems.
Freenode is the meeting point of Free and Open Source Software communities, providing IRC network chat services. In September, the Freenode team blogged about a security compromise of one of their IRC servers .
One of the interesting findings after analyzing the breach was a backdoor  that uses a novel method of recognizing specially generated incoming packets, thus bypassing typical security defenses and firewalls and enabling the attacker to make use of any IP address without losing access.
The backdoor is composed of:
- A kernel module that recognizes the specially crafted packets and triggers a user-mode helper in response to detecting the pattern
- A user-mode helper that connects outbound from the compromised system to the attacker’s machine and provides remote shell and file access functionality
- A script that loads the kernel module and user-mode helper at boot time
- Another user-mode binary that does various administrative and clean-up tasks
To trigger the backdoor to the compromised system, the attacker must send three specially crafted TCP SYN packets. Although the port knocking is done over TCP, there is no requirement that a full TCP connection be negotiated to activate the backdoor.
When the kernel module recognizes these packets, it triggers the user-mode helper to establish a TCP connection to the address of the sender of the three packets and to a port deduced from the window field of the TCP packets.
An overview of the fields used in the TCP header for the magic packet sequence is presented in Fig. 1.
Fig. 1. TCP header fields used in the magic packet sequence
The trigger for each packet is the fact that the source port and sequence number add up to a specific magic value. Although the magic value has not been disclosed during the freenode forensic operation, an attacker can basically choose any value that suits his needs (he may even configure the kernel module to recognize multiple magic values) so an IDS/IPS signature shouldn’t rely on the magic value being fixed for all sequences.
The callback port to which the compromised system connects to the attacker’s station is derived by subtracting 8192 from the TCP window size field.
The complete network-level sequence of packets is presented in Fig. 2.
Fig. 2. Backdoor activation packet sequence
After the 3 initial magic packets (which may have any amount of delay between them), a TCP connection is established by the compromised system to the attacker. The data contents of the connection are encrypted by an RC4 cipher. The compromised system first sends a fixed 6-byte initial hello packet (challenge) - b5a46fce2166 - to which the attacker station responds with a password that gets validated by the system and to which an acceptance message is sent. After this initial negotiation, the attacker can proceed to using the remote shell and file transfer functionality of the backdoor.
Emulating the Backdoor with Ixia ATI
We’ve implemented this functionality in our latest ATI update. The backdoor emulation randomly chooses different values for the target port, callback port and magic value and a different source port is used for each trigger packet. The randomly chosen ports and magic value guarantee the soundness of any IPS/IDS signature for this type of backdoor.
After the trigger sequence is complete, we also emulate a TCP connection going out from the compromised node to the attacker on the callback port and the sequence of messages exchanged over that connection.
Keep your network safe from backdoors by constantly testing your network security with the latest ATI updates.
Leverage Subscription Service to Stay Ahead of Attacks
The Ixia BreakingPoint Application and Threat Intelligence (ATI) program provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.
 Krzywinski, Martin. "Port knocking from the inside out." SysAdmin Magazine12.6 (2003): 12-17, http://portknocking.org/docs/portknocking_an_introduction.pdf
 Freenode server issues blog post, http://blog.freenode.net/2014/09/server-issues-2/
 NCC Group Freenode IRC Linux Backdoor Analysis, https://www.nccgroup.com/en/blog/2014/10/analysis-of-the-linux-backdoor-used-in-freenode-irc-network-compromise/