Intrusion Analysis - The Director's Cut!

While looking for interesting detects to analyse from www.incidents.org/logs/Raw, I came across the Snort 'BACKDOOR Q access' alert and was fascinated by the strange packets. As far as I could tell nobody else from the IT security community had taken a really good look at Q and published their findings yet despite various versions of Q having been around since 1999. My goal for this paper was to investigate Q's capabilities assess the risk posed by this software see whether the existing standard Snort signatures and those at www.whitehats.com are in fact adequate and suggest new signatures which may be more effective. I will be concentrating on Q's network traffic behavior in order to develop more effective NIDS detection capability. I investigated versions 0.91 2.0 and 2.4; however I concentrated mainly on versions 1.0 and 2.4 since 1.0 is simply a bug-fixed version of 0.9 and 2.4 is an evolution of 2.0 (and I couldn't get the version 2.0 client/server pairs to establish a session.) There will be two types of Q traffic examined. One is the one -way traffic that is sent by 'qs' the Q stealth messenger to 'qd' the Q server daemon and the other is the encrypted remote-shell session traffic. We'll also briefly touch on a bounce/redirector or port-forwarder session.