Linux Xorddos Sample Analysis 2

Reverse analysis

Later, in the main function where we conducted a more in-depth sample analysis of the sample through IDA, the function dec_conf was first called to decrypt a large number of encrypted strings in the sample, as shown in.

In the function dec_conf, the Encrypt_code function is actually called to decrypt, and the decrypted operation is XOR by bitwise.

In this case, the characters in the sample can be decrypted by a script, and the following part of the decryption result, as shown in the comments in the code, contains the directory to be used in the sample run.

The target domain name after the target is decrypted here.

The target IP after decryption.

After that, the sample runs three states, depending on the number of arguments passed in by main

When the ARGC parameter is 2, or process number 2nd, run the following code to implement the deletion of the sample in the code.

When the argv parameter is 1, a process is a number.

First, copy itself to/lib/libudev.so, then get the path of the current sample, determine whether it is/usr/bin,/bin,/tmp, if not, then the sample file will be copied to these three directories, where the copy as long as there is one exists, stop to the back of the directory copy, The re-copied file name is randomly generated in 26 lowercase letters (specifically implemented in the RANDSTR function). The length is 10, where the file name of the Lib directory is libudev.so.

Note here to observe the files after two copies

The first is the original sample file, where the sample size and the MD5 value are recorded.

The size and MD5 value of the sample file that was copied under the/usr/bin directory.

The size and MD5 value of the sample file libudev.so copied under the/lib directory.

It can be found that the same copy, asking what the sample MD5 value has changed, processing the size of the sample outside the Lib directory has also changed, note that can be found in the/usr/bin directory of the sample size increased by 11kb, Because determining the sample type by querying the MD5 value is a regular method in modern kill soft and general scanners, and the MDA5 value of the sample changes at any time will result in the regular MD5 value scan invalid, the further analysis of the code can be found every time the sample copy implementation, the function Randmd5 function will be run.

In the function randmd5, the content of 0xB (decimal 11) Bytes is written at the end of the file by calling Lseek, resulting in a MD5 value of the file after each copy, in different sizes, of course/lib/ The size of the udev.so does not change because the operation of RANDMD5 is not called after the copy has ended (see several function copy codes, for details).

After the copy is over, call the function linuxexec start the Copy sample, for example, on my host is to start the sample/usr/bin directory, it is important to note that the Linuxexec function is the sample author of the function EXECVP a package, In this function, not only the EXECVP is called, but a function named Doublefork is also called. As shown, the function creates the child process again and swims the fork once, which causes a large number of child processes to be created each time the Linuxexec function is called, of course, there is more than linuxexec a function here, and the sample author also writes a name linuxexec_ Argv2 function, to the function and linuxexec implementation of the same, but his parameters are two, through the two start functions, you can achieve a copy of a variety of start-up samples, so that the sample run into a different process, as mentioned above, the sample total of three processes, By passing in the parameters to decide to enter one of them.

For example, there are several sub-processes doublefork here.

Here, because the call to Linuxexec, so that the next child process is started to enter the first process (because the LINUXECEC call, the resulting child process argc is 1), there is already a sample backup in/usr/bin, it will enter the second branch of the 1 process, The Installsys function is called at the beginning of the branch to install the kernel module. However, the analysis found that the kernel module of the change function before the load will have a judgement, which will cause the function to skip the kernel module loading, so guess here, the code is not complete, but the author reserved a functional function for later refinement.

The function is then called by the AddService function to implement self-priming, the function Decrypt_remotestr decrypt the server's IP address, and finally open a new thread call Tcp_thread implementation and server communication.

Communication

Before communicating in the function Tcp_thread function, the function getmagic is called first, which first determines whether the directory/var/run/gcc.pid exists, and then generates a key and the implementation and server authentication.

After the function will get the kernel version of the computer, processor, CPU cores, clock frequency, key,static, sample version, form the first authentication packet, the packet is encrypted, the algorithm and the previous decryption algorithm is mutually inverse.

The encrypted packet is as shown.

Through the previous script, the contents of the real packet after the restore, where the contents of VSYD~VEF as the communication voucher for the broiler, each packet is appended with a character at the end.

After authentication with the server remote communication, you will receive a packet from the remote server that contains commands for controlling the DDoS command of the broiler, and so on, by analyzing the types of packets that are used to determine the attack

For 4 o'clock, is a DNS attack

is 5 o'clock, for the SYN tool

Is 10 o'clock, an ACK attack

Of course there are other types of remote control, similar to common Trojans, where there is no excessive analysis.

The process then enters a loop, in which it attempts to copy the/usr/bin,/tmp,/bin three directories at once, and the copy succeeds, starting with the backup sample file for the execution file, through the function linuxexec_ ARGC2 (This will cause the initiated process to enter the 3rd process in the main function).

When the function starts, will pass two parameters, into the sample file is xxx, the start mode is XXX pid 2333 (the current process number), in this way to start the sub-process, enter the main function, ARGC 3, will enter the 3rd process.

In the number 3rd process will determine whether the libedve.so in the/lib directory exists, if not present, the current process's execution image file is copied to the/usr/bin,/tmp,/bin three directories, note that at this time the copy file source is in/usr/bin, The copy ends by calling the Linuxexec function to start the sample, without parameters, the result of a sample without parameters will be in the start process of the main function, run to the 1th process, and the beginning of a process will copy process process to the/lib directory, Form a libedve.so file.

At this point we can understand that the sample is difficult to delete, the sample started after the start of the main process a will enter the 1th process, in the process of the change first copy itself to/lib/libedve.so, and then continue to copy/lib/libedve.so this sample to/usr/bin,/ Tmp,/bin in a directory, and start it as a child process through the function Linuxexec_argv2 start, these started sub-process B will go into the sample of process 3rd, in which the same completion of the process of copying itself to the/usr/bin,/tmp,/bin directory task, But at this point the start function becomes linuxexec, so that at this point the child process C will go directly into the 1th process, the result is that the libedve.so will be copied to the/lib directory again, so long as the main process constantly create child processes (especially through the doublefork increase, The child process is created very quickly, which results in the normal script deletion being unable to delete the sample process in the machine, because the sample is proliferating faster, and a large number of child processes in turn form an effective protection for the main process.

About Avira

About the sample killing, the sample master process and the mutual protection of the sub-process (this mechanism is very early Bang Bang shell protection mechanism somewhat similar-_-!), the usual method is difficult to clean, but can be achieved by the following methods.

The parent process is first found.

Kill him here without kill, as previously analyzed, this will cause the child process to restart the generation of a new process, at which point a parameter is changed, and the parent process is suspended with stop.

The result of the suspension is that all the child processes stop creating and die, without the protection of the child process, the main process is suspended, and all the sample files can be deleted on the host.

It is possible to include directories that are

/usr/bin

/tmp

/bin

/lib/libedev.so

Startup directory

/etc/init.d

Scheduled Tasks

/etc/cronhourly/gcc.sh

Like below.

And then kill the orphaned parent process.

Linux Xorddos Sample Analysis 2