Brief Analysis of A DDoS Trojan

Brief Analysis of A DDoS Trojan

This article is a foreign researcher's analysis of a DDoS Trojan. the MD5 of the Trojan file is 67877403db7f8ce451b72924188443f8.

Install

There are two subprograms in the main function of the malware to check whether the malware has been installed on the system.

 

The trojan detects the registry and file paths such:

 

 

After careful observation, you will find that the installation file is in the syswow64 folder, which means that this trojan is applicable to 64-bit system environments and will not be installed in all 32-bit operating systems.

From the Registry detection process, we can see that this trojan uses "Iptablex Services" as the service name and installs a service.

If both tests fail, it will continue to check the parameters provided to itself.

 

 

This trojan program has two parameters:

1: xxxxClient2: del

When this trojan program is used for C2 communication and all initialization completion processes, the "xxxxClient" parameter is used ".

Use the parameter "del" to delete the Trojan.

During the first running, most detection fails. This trojan program runs on the following nodes:

 

Call "TerminateProcessWithModules" before the installation process is called ". This subroutine lists all processes and loaded dll. If a trojan program has the same name module as the trojan program, the program terminates execution.

 

If the parent program ID is the same as that of the current process, the termination program will be skipped. This is because the installer itself is started as a sub-process. For more details, see the following document.

 

In fact, this subroutine has many bugs. The "ConvertUnicodetoAscii" called by it is a string parameter obtained from PROCESSENTRY32.szExeFile, which is an ASCII string. Therefore, it will never end a program that has run the same malware.

It not only creates and starts the "Iptablex Service" server, but also carries the parameter "del" to execute itself.

 

 

The service starts from the ServiceProc sub-process. In the initialization phase, two Windows Global event objects, Global \ hbllxxxxServer and Global \ hbllxxxxClient are created ".

These events are very important for sub-processes because they must know whether the initialization phase is over. In this way, start another Exe file from the "xxxClient" service itself.

 

The following self-program will start a new instance.

 

The CheckEvents subprocess is used to check whether global events have been set. C2 parameters (ports, IP addresses, or domain names) are decoded using the following simple algorithms.

 

If the IP address domain exists, use a 0xaaaaaaaa placeholder character in DWORD (EncodedByteStream + 1) to check the domain name.

 

If we go around, further detection will find that this domain name uses the constant port number 2345.

 

To skip the installation process and make the analysis easier, the following programs can keep the event active before starting debugging.

#define WIN32_LEAN_AND_MEAN  #include 
 
    signed int __cdecl startEvent()  {  HANDLE hObject;  HANDLE hEvent;  hObject = CreateEventA(0, 0, 0, “Global\\hbllxxxxServer”);  if ( hObject )  {  if ( GetLastError() != 183 )  {  hEvent = CreateEventA(0, 0, 1, “Global\\hbllxxxxClient”);  if ( hEvent )  return 1;  }  CloseHandle(hObject);  }  return 0;  }  int main(int argc, char **argv)  {      startEvent();      while (1)      {          Sleep(3000);      }  }
 

If we start the binary program with the "xxxxClient" parameter, we can skip the installation phase and directly enter the c2 communication sub-process.

 

C2 Communication

The initial initialization package is sent to C2C, which contains the associated data plain text Operating System (most of which is related to hardware installation ). If a Windows2008 server and AMD processor are found, a variable is generated in the data packet.

 

 

After sending the initialization data packet, create a thread to receive commands from the server. Set the time to 30 seconds. If no message is received within 30 seconds, "xy" will be sent to the server.

Any request with a length greater than or equal to 262 bytes will be discarded.

 

Send the command from C2 to the handler such as the TCP_RAW DDOS attack and update the binary file.