Linux.BackDoor.MrBlack Attack and Defense analysis

Catalogue

1 . Overview of Malicious programs 2 . Module Decomposition 3 . Communication Protocols 4. Trojan Cleaning

1. Malicious Programs Overview

0x1: Support Attack mode

1 . Dns_flood2. Syn_flood3. Udp_flood4. Udps_flood5. Tcp_flood (Access specified IP)6. Cc_flood (Access specified URL)7. Cc2_flood8. Cc3_flood .

0x2: Client Support architecture

1 . em_3862. em_x86_643. Em_mips4. Em_arm5. PE x86//written mostly in C + +//Debug info often not stripped

0x3: Enduring Viability

1. Killing competing resource consuming processes2. Register as a service, self-boot1)/etc/init.d/: Startup scripts copied here2)/etc/cron.<s>: <S> from{hourly, daily, weekly, monthly}3) A service can be added to/etc/crontab4)/etc/rc<n>.d/: Symbolic links to startup scripts,<n> isA runlevel indicator (Halt0; Single-user1; multi-user2-5; Reboot6)    5) Alternatively, path can be added to/etc/rc.local

0x4: Anti-debugging capability

1 . In plain form or packed with UPX2. UPX sometimes modified to avoid unpacking by the original UPX tool    1) Modified Magic value     2 does not match

0x5:trojan client program Distribution

1 using a customized builder     1 ) on-line domain name, on-    line Port configurable 2) communication key configurable 2. Start Http File Server (HFS), which will Hosting the previously built malicious binaries    1) set up HSF server to provide download for malicious programs

Relevant Link:

Https//www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdfHttps//www.virusbulletin.com/uploads/pdf/conference_slides/2015/KalnaiHorejsi-VB2015.pdfhttp//www.digitaltrends.com/computing/mrblack-malware-botnet/http//blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.htmlhttp//www.kernelmode.info/forum/viewtopic.php?f=16&t=3483Https//www.threatcrowd.org/malware.php?md5=08efb1ffc680abc242f40a0ad72906baHttps//www.virustotal.com/en/file/7b5c0ef6d9d38466dedea7ae07b363d5849580f6d0615cf47804f942d1d2034a/analysis/

2. Module decomposition
3. Communication protocols

def datareceived (self, data): Print"Server said:", Data.encode ('Hex') Datalen=len (data)ifDatalen = =1: #HEART Print"Heart"elif Datalen> -and data[0] =='\x06': #DDOS iplist= Self.extractips (data, data[0x108])            ifdata[0x108] =='\x01': Attacktype='TCP SYN'elif data[0x108] =='\x02': Attacktype='UDP'elif data[0x108] =='\x03': Attacktype='ICMP'elif data[0x108] =='\x04': Attacktype='DNS'elif data[0x108] =='\x05': Attacktype='CC'#save Attack Info forIpinchiplist:target_ip= Socket.inet_ntoa (struct. Pack ('I', Socket.htonl (ip[0]))[::-1]) Target_url=""Target_port= STR (ip[1]) Target_attack_type=attacktype Print {target_ip, Target_url, Target_port, Target_attack_type} Eventreporter.saveatt Ackevent (Server=self.server, cmd='DDOS', Cmd_desc=target_attack_type, VICTIM_IP=TARGET_IP, Victim_port=target_port,victim_url=target_url)

4. Trojan Cleaning
Copyright (c) Littlehann All rights reserved

Linux.BackDoor.MrBlack Attack and Defense analysis