Detailed analysis process of a DOS attack Trojan

Detailed analysis process of a DOS attack Trojan

0 × 01 cause
The MD5 values of shards are different. We found that only a few bytes are different (for example,). After a few PgDn attempts, it will end up! The size is only 5 kb. I think of a very small MBR bootkit Trojan compatible with xp, win7, x86, and x64 systems that I previously analyzed. At that time, I couldn't help but scream. I like "small and beautiful" things. There is a code segment in the later analysis. It can also be seen that the author is indeed very careful about writing code: When checking whether the http method is POST or GET, only one initial letter is compared.
On the Rise, I decided to analyze this sample in depth, so I got my first article on FreeBuf.

0 × 02 is there a large volume of 1.exe files in the network traffic?
Trojan shell encryption and anti-debugging have already been a basic configuration in this age. This article does not cover shelling, so the sample is indeed very small after 10 thousand words are omitted and directly crossed to shelling, there are only over 20 functions in total. This article is called a detailed analysis, so all the sides and corners of this sample are reversed. It is more comfortable to look at the function with the name. (To commemorate the first article on FreeBuf, we have a function called FreeBuf. If you have to ask why it is called, click here to see it, because it is actually just free buffer)

There is a large volume of 1.exe in the network traffic, and each MD5 value is different. First, let's guess if the Trojan is a Downloader. After running the trojan, it keeps downloading other Trojans.
After analysis, the following key functions are located to identify the cause, which is different from the conjecture.
1) read the content of your own file

2) modify the timestamp of the PE file, increasing by 1 each time
(Here, the MD5 values of each 1.exe are different)

3) post Data and upload files


The following is the additional data of the 2nd appendstr, starting from the content and the line feed of 0x0D and 0x0A, it is easy to recognize that the http protocol header is built. The 64-byte string in the last line is the submitted apikey. What is this apikey? Continue the analysis.

Bytes

4) Why does a trojan repeatedly upload itself and where does it go?

First, convert the IStream stream data that requires POST to the buffer, and then submit it to www.virustotal.com/vtapi/v2/file/scan.
VirusTotal is a world-renowned website that provides the Suspicious file Analysis Service./vtapi/v2/file/scan is an API interface opened to its members to scan suspicious files, now, you can answer the preceding 64-byte apikey: The member must apply for this apikey from VirusTotal before using the file scanning API.

The above is part of httpRequest. This function is a function that uses WinHTTP sdks to complete http requests. You do not need to take a closer look,
Here, I just mentioned the box that compiled cmp ecx, 50 h. I thought it was a comparison of port 80, check whether the http Method of the function parameter is GET or POST, and the ascii 80 is also the letter "P". It only compares the first letter. This is what the author mentioned at the beginning of this article is very particular about writing code, there are still some very exquisite coding points of the author, which have little to do with the topic of this article. I will not elaborate on them here.
Let's go back to the end of the core function above.

The result returned by the trojan request is not used and is directly killed by the Justice messenger FreeBuf. What does this mean?
The jmp loc_401451 following FreeBuf was originally an endless loop and jumped to the place where the previous timestamp was modified.
Here we know that the original Trojan has been uploading itself cyclically, and each cycle will increase the TimeDataStamp field of PE ([PE_Base + 0x3c] + 000008133, And the MD5 values of 1.exe are different each time, because VirusTotal does not analyze files with MD5 values, it directly returns the results of previous analyses. Therefore, the results returned by VirusTotal do not concern about Trojans, so they are free. This trojan is intended to attack VirusTotal ......?
After the analysis, as shown in the name "LoopSubmitVirusTotal" for this function, the entire process has been clearly understood and the cause of the analysis of this sample has been fully answered:

This is why the MD5 value of each file varies with a large number of 1.exe files in the network traffic, and there is only a small difference.
The article here seems to be over: The story of a Trojan horse retaliating security vendors
0 × 03 uncover the true intention of a Trojan
This story is always strange. What are the advantages of the Trojan horse author? Let's continue to read the rest of the functions that are not completely reversed.

For example, I found another function that is almost identical to the previous httpRequest function. The only difference is that this function writes a long string of WinHTTP sdks and returns the Response result after hard work, it is Free directly in the function. In other words, this is an Http request function. After all the work is done, nothing is returned. What is the difference between an external function and an empty function?
For example, we came to the place where we called this function. After reading this, we basically knew what was going on.

The upper-layer function is an endless loop. After receiving the parameter: the server host address and path, it continuously initiates GET requests. It turns out that this is a DOS attack at the application layer. Therefore, the previous functions do not need to concern themselves with the returned results of the request.

For example, further analysis is performed on the outer layer to further confirm that this is an application layer DOS attack Trojan. The function that cyclically gets the target server is started with 100 threads. It is indeed intended to beat the target server to death.
The truth becomes clearer and clearer. The last question remains: Where can I find the target server of the attack?
I guess I got it through C & C. I went on to confirm that I found the following C & C communication function, which is an http concealed communication and receiving command through the twitter blog page.

As shown below, open twitter.com/pidoras6page to verify it (only good comrades who care about the motherland and spent 20 yuan to buy a VPN)

When the page is opened, five anti-Parentheses are found in the top tweets. The control commands are encrypted. In fact, no reverse decryption function is required. It looks familiar to me, there is an equal sign at the end of the end, much like base64 (the length of the base64 encoded string is aligned with 3, and = is used to complete the insufficiency, so one or two equal signs are often seen at the end)

We didn't encrypt the control command, but simply used base64 encoding to prevent others from looking at what it was.
The subsequent code is no longer important. You can also guess that the utf8 code of the webpage is converted into a local code. Call the WinHttpCrackUrl function to disassemble the target URL of the attack and write it back to the global variable, for the 100 attack threads to cycle to GET the target

End of 0 × 04
Let's look at the reason for the large amount of money to submit to virustotal's 1.exe, as if it had nothing to do with the trojan receiving command for DOS attacks,
It is suggested that the author's purpose may be: Because VirusTotal restricts the frequency of samples submitted by Members, VirusTotal may drag the local IP address to the blacklist after the trojan first attacks VirusTotal, currently, some network detection devices may call the VirusTotal interface to check samples (VirusTotal also has an interface to submit the MD5 query of samples, which is frequently used by many security devices such as sandboxes) if similar security devices exist locally, You can discard the VirusTotal scan function of the security devices.
Why do I always respond to timeout when I try to open w0rm. in on the target page? The keyword w0rm. in seems to direct to a Russian hacker? Is the attack against VirusTotal really the same as conjecture? Will all this be a routine stress test? If w0rm is a hacker, is it true that w0rm's first love is the same person as the Trojan's wife? Behind this is the loss of morality or the distortion of human nature ...... Let's take a look at "Walking science" at tonight. Let's take a look at the little-known stories of you call and I jmp.