FRISK Software International


Summary of W32/Synflood.nenet
Alias:DoS.Win32.Nenet (AVP)
Length: 40.960 bytes
Discovered: 2 Apr 2003
Definition files: 5 Apr 2003
Risk Level: Low
Distribution:Low
Infection Method:This tool is usually distributed as a component of backdoor packages
Payload: Performs a SYN flood attack on a target computer, which is one form of a denial-of-service attack
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
The Synflood.nenet is a tool used to perform a denial-of-service attack against a target, by flooding it with forged SYN packages. It will only work under Microsoft Windows 2000 / XP when run with administrator privileges, since it depends on the creation and usage of raw-sockets. This program is not of a viral nature, although malicious. It's usually distributed as a part of larger backdoor packages.


Technical Description
The Synflood.nenet is a tool, written in Visual C++ with the size of 40.960 bytes.
The purpose of this tool is to perform a denial-of-service attack against a target. The method of this type of an attack, is to flood the target with bogus SYN packets. These packets have forged source addresses, and have the purpose of filling up the listening queues for services found on the targets machine. When a SYN flood occures, the goal of the attack is to exhaust system resources since every SYN packet is placed in the service listening queue and reserves a tiny amount of memory. This attack works by initiating a three-way TCP handshake by sending out forged SYN packets, the service responds with an SYN/ACK package and puts this connection into the listening queue, where it after sending out SYN/ACK package couple of times and waiting for a responce, times out. With this type of an attack, the three-way TCP handshake is never finished but the waiting queue is filled up with bogus connection attempts. If the amount of SYN packets sent to the target is high enough, this can also exhaust the network resources available.

After the standard initialization routine, this program attempts to create a raw-socket, this function will only work on Windows 2000/XP based system, given that the program is run with administrative privileges, if that enviroment isn't present the program exits with an error message. Within the programs body, there is a function to generate a random IP addresses which appear to be valid, and are used as a source address for each SYN packet sent out. The program works in the following way:
1) Creates in 4 steps a random IP address to be used as a spoofed source address for each packet
2) Fills in the extra information needed for the packet
3) Sends the package to the target
4) Verifies that the packet sending procedure didn't generate errors
5) Continues to send packets until the user aborts the execution or the program generates an error.

A typical traffic caused by this program, might have this symptoms when captured by a monitoring tool:

Source Destination Protocol Info
81.167.31.125 targets ip TCP [SYN] Seq=31337 Ack=0 Win=1337 Len=9
180.13.108.120 targets ip TCP [SYN] Seq=31337 Ack=0 Win=1337 Len=9
114.170.20.30 targets ip TCP [SYN] Seq=31337 Ack=0 Win=1337 Len=9
156.180.47.3 targets ip TCP [SYN] Seq=31337 Ack=0 Win=1337 Len=9
104.34.4.205 targets ip TCP [SYN] Seq=31337 Ack=0 Win=1337 Len=9


The IP addresses used are completely random, as in the example shown above. Each packet has its own spoofed source address.


Removal Instructions
Delete the file detected as "is a security risk named W32/Synflood.nenet".

Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is