About the "Wirex Botnet" incident Android Sample Analysis report

Wirex family virus basically in the internal hard code to store two URL address (some variants of the URL is encrypted), variant A in the internal hard code of the following two URLs

Http://u.*******.store/?utm_source=tfikztteuic

Http://g.*******.store/?utm_source=tfikztteuic

These URL addresses are the address of the virus's c&c server, which is used to return information about the site to be attacked, except that the information returned for these two URLs is handled differently and the malicious acts performed are different.

UDP Flood attack

For URL addresses that begin with u, such as Http://u.*******.store/?utm_source=tfikztteuic (the actual test does not return the data normally, as described in the code logic), the return data is divided into two parts, One to attack the host address, one is the port, the middle using the string "Snewxwri" "" Split, the code in the return data processing is as follows:

After obtaining the host address and port number, 50 threads will be created, each thread will be connected to the host and port, open the socket, use the UDP protocol to send random data, send 512 bytes of data each time, a thread will send a total of 10000000 (10 million) times, that is, 10000000512=5120000000 bytes of data, as a total of 50 threads were created, so the 10000000512*50=256000000000 (256 billion) byte is theoretically sent, and the implementation code looks like this:

Deceptive Access Attack

For URLs that begin with G, such as Http://g.*******.store/?utm_source=tfikztteuic, the return data is divided into 3 parts, which are the URLs, useragent, and referer of the sites to be attacked, respectively, A hard-coded string, such as Snewxwri, is used to segment the returned data in the code as follows:

After you get the URLs, useragent, and referer that you want to attack your Web site, you create 20 webview and then use each WebView to access the site that you want to attack, and the code implements the following:

Deceptive Click Attack

Variant B has a built-in 2 URL addresses, as follows:

Http://ww68.c.********.us/?utm_source=tfikztteuic

Http://ww68.d.********.us/?utm_source=tfikztteuic

Requests that the data returned by these two URLs be similar, is in the title of the HTML set a section of content, this piece of content using a hard-coded string (such as "Eindoejy" separated into 3 or 4 parts, the first 3 parts are the same, a URL, a section of JS code, A useragent, there may also be a field, guess the abbreviation for the country, the sample is CN (representing China.) ）。 Request your address and return the data, similar to the following figure:

The virus handles these data in a way that use WebView to load the return URL, and then after the page is loaded, execute that section of JS code, the function of JS code is from the page all URL link (by looking for HTML a tag to get), randomly pick one, simulate mouse events to click, The implementation code is as follows:

Implementation of analog mouse click JS Code is as follows:

Attack Controller

The implementations of these attacks are in one of the Android service, so how do these attacks start? Through the reverse analysis apk learned that the APK registered to monitor certain events broadcast Receiver, such as network connectivity change, device admin enabled, etc., in these Receiver, will start Attack controller this service, Attack Controller is responsible for starting a variety of Attack, the code implementation is as follows:

Different variants, the implementation of a somewhat different, the intensity of the attack is also different, this variant, every 55 seconds will restart an attack.

Original address: http://blogs.360.cn/blog/analysis_of_wirex_botnet/