首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >分析一个跨平台DDOS僵尸网络

分析一个跨平台DDOS僵尸网络

作者头像
FB客服
发布2018-02-02 11:41:20
9820
发布2018-02-02 11:41:20
举报
文章被收录于专栏:FreeBufFreeBuf

从最近“恶意软件必须死”的帖子了解到一些关于DNS放大攻击相关的LINUX恶意软件样本。我对linux恶意软件的研究非常感兴趣,而且这个很特别,因为他有一个DDOS攻击模块,所以想深入了解一下。 将得到的恶意软件放到linux沙箱中运行,并连接到C&C。虽然我没有看到它有任何DDOS攻击活动,我还是通过PCAP(获取HTTP信息的工具)做了分析,波动图像在文章底部可见。 该恶意软件从hxxp://198.2. [.] 192.204:22/disknyp下载而来。样品的MD5哈希值是 260533ebd353c3075c9dddf7784e86f9。

C2的位置:190.115.20.27:59870。根据PCAP提供的信息,被入侵的主机连接到C2的时间为18:46。连接后,被入侵主机发送当前Linux内核信息–Linux 2.6.32-33-generic-pae。

有趣的是,C2是一个持久连接,它保持远程主机在端口59870的连接。在21:13时,C2发送75字节的十六进制信息:

大约每三十秒,C2就发送一个新的75字节序列,例如:

01:00:00:00:43:00:00:00:00:fd:05:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:d4:07:c6:9c:50:00:01:00:00:
00:00:00:00:00:1e:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:d4:
07:c6:9c:50:0001:00:00:00:43:00:00:00:00:fe:05:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:d4:07:c7:d4:5
0:00:01:00:00:00:00:00:00:00:1e:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:0
0:00:00:00:d4:07:c7:d4:50:0001:00:00:00:43:00:00:00:00:ff:05:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80
:d4:07:c6:9b:50:00:01:00:00:00:00:00:00:00:1e:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac
:f5:a5:8f:00:00:00:00:00:d4:07:c6:9b:50:00

像是一个计数器,每次从C2的每个序列递增,在十进制0XC6和0XC7之间开始发生变化,直到22:06时,变化值为:

01:00:00:00:43:00:00:00:00:1d:06:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:73:ee:ed:f5:58:1b:01:00:00:
00:00:00:00:00:0c:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:73:
ee:ed:f5:58:1b01:00:00:00:43:00:00:00:00:1e:06:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:7a:e0:22:c7:5
8:1b:01:00:00:00:00:00:00:00:0c:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:0
0:00:00:00:7a:e0:22:c7:58:1b01:00:00:00:43:00:00:00:00:1f:06:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80
:0e:11:5f:4a:58:1b:01:00:00:00:00:00:00:00:0c:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac
:f5:a5:8f:00:00:00:00:00:0e:11:5f:4a:58:1b01:00:00:00:43:00:00:00:00:20:06:00:00:00:00:00:00:01:00:00:00:
01:00:00:00:80:3d:84:e6:15:5b:1b:01:00:00:00:00:00:00:00:0c:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:
ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:3d:84:e6:15:5b:1b

机器人的回复再次以27字节序列回复,但小数偏移量19现在有一个值,该值在0-2之间:

00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0000:00:00:00:00:00:00:00:0
0:00:00:00:00:00:00:00:00:00:00:01:00:00:00:00:00:00:0000:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0
0:00:00:02:00:00:00:00:00:00:0000:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:0
0:00:0000:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

内存映像波动图: Linux_pslist

“disknyp”进程开始运行时间23:45,PID为1241,子进程没有被记录。 Linux_lsof-p1241

“disknyp”进程,PID 1241 linux_proc_maps

/tmp/disknyp的路径就是原先disknyp的路径,在/user/tmp/生成了2个文件,“task.1241.0×8048000.vma”和“task.1241.0×8168000.vma”。 task.1241.0×8048000.vma: 32频率的声音文件,查看里面的代码:

看到字符串“fake.cfg”正式与此恶意软件相关的文件,我试图在文件中找到原来的/tmp目录:

linux_yarascan 让我们用“yarascan”插件,看看是否有在这个图像中的其他地方引用。

我们看到,字符串“fake.cfg”只可以在PID为1241进程“disknyp”找到,再次使用“linux_find_file”插件,我们可以看到“fake.cfg”位于节点0xed9dc088的内容:

本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2014-01-23,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 FreeBuf 微信公众号,前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体分享计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档