Catalogue
1 . Overview of Malicious programs 2 . Module Decomposition 3 . Communication Protocols 4. Trojan Cleaning
1. Malicious Programs Overview
0x1: Support Attack mode
1 . Dns_flood2. Syn_flood3. Udp_flood4. Udps_flood5. Tcp_flood (Access specified IP)6. Cc_flood (Access specified URL)7. Cc2_flood8. Cc3_flood .
0x2: Client Support architecture
1 . em_3862. em_x86_643. Em_mips4. Em_arm5. PE x86//written mostly in C + +//Debug info often not stripped
0x3: Enduring Viability
1. Killing competing resource consuming processes2. Register as a service, self-boot1)/etc/init.d/: Startup scripts copied here2)/etc/cron.<s>: <S> from{hourly, daily, weekly, monthly}3) A service can be added to/etc/crontab4)/etc/rc<n>.d/: Symbolic links to startup scripts,<n> isA runlevel indicator (Halt0; Single-user1; multi-user2-5; Reboot6) 5) Alternatively, path can be added to/etc/rc.local
0x4: Anti-debugging capability
1 . In plain form or packed with UPX2. UPX sometimes modified to avoid unpacking by the original UPX tool 1) Modified Magic value 2 does not match
0x5:trojan client program Distribution
1 using a customized builder 1 ) on-line domain name, on- line Port configurable 2) communication key configurable 2. Start Http File Server (HFS), which will Hosting the previously built malicious binaries 1) set up HSF server to provide download for malicious programs
Relevant Link:
Https//www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdfHttps//www.virusbulletin.com/uploads/pdf/conference_slides/2015/KalnaiHorejsi-VB2015.pdfhttp//www.digitaltrends.com/computing/mrblack-malware-botnet/http//blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.htmlhttp//www.kernelmode.info/forum/viewtopic.php?f=16&t=3483Https//www.threatcrowd.org/malware.php?md5=08efb1ffc680abc242f40a0ad72906baHttps//www.virustotal.com/en/file/7b5c0ef6d9d38466dedea7ae07b363d5849580f6d0615cf47804f942d1d2034a/analysis/
2. Module decomposition
3. Communication protocols
def datareceived (self, data): Print"Server said:", Data.encode ('Hex') Datalen=len (data)ifDatalen = =1: #HEART Print"Heart"elif Datalen> -and data[0] =='\x06': #DDOS iplist= Self.extractips (data, data[0x108]) ifdata[0x108] =='\x01': Attacktype='TCP SYN'elif data[0x108] =='\x02': Attacktype='UDP'elif data[0x108] =='\x03': Attacktype='ICMP'elif data[0x108] =='\x04': Attacktype='DNS'elif data[0x108] =='\x05': Attacktype='CC'#save Attack Info forIpinchiplist:target_ip= Socket.inet_ntoa (struct. Pack ('I', Socket.htonl (ip[0]))[::-1]) Target_url=""Target_port= STR (ip[1]) Target_attack_type=attacktype Print {target_ip, Target_url, Target_port, Target_attack_type} Eventreporter.saveatt Ackevent (Server=self.server, cmd='DDOS', Cmd_desc=target_attack_type, VICTIM_IP=TARGET_IP, Victim_port=target_port,victim_url=target_url)
4. Trojan Cleaning
Copyright (c) Littlehann All rights reserved
Linux.BackDoor.MrBlack Attack and Defense analysis