分析一个跨平台DDOS僵尸网络
从最近“恶意软件必须死”的帖子了解到一些关于DNS放大攻击相关的LINUX恶意软件样本。我对linux恶意软件的研究非常感兴趣,而且这个很特别,因为他有一个DDOS攻击模块,所以想深入了解一下。
将得到的恶意软件放到linux沙箱中运行,并连接到C&C。虽然我没有看到它有任何DDOS攻击活动,我还是通过PCAP(获取HTTP信息的工具)做了分析,波动图像在文章底部可见。
该恶意软件从hxxp://198.2. [.] 192.204:22/disknyp下载而来。样品的MD5哈希值是 260533ebd353c3075c9dddf7784e86f9。
C2的位置:190.115.20.27:59870。根据PCAP提供的信息,被入侵的主机连接到C2的时间为18:46。连接后,被入侵主机发送当前Linux内核信息–Linux 2.6.32-33-generic-pae。
有趣的是,C2是一个持久连接,它保持远程主机在端口59870的连接。在21:13时,C2发送75字节的十六进制信息:
大约每三十秒,C2就发送一个新的75字节序列,例如:
01:00:00:00:43:00:00:00:00:fd:05:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:d4:07:c6:9c:50:00:01:00:00:00:00:00:00:00:1e:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:d4:07:c6:9c:50:00 01:00:00:00:43:00:00:00:00:fe:05:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:d4:07:c7:d4:50:00:01:00:00:00:00:00:00:00:1e:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:d4:07:c7:d4:50:00 01:00:00:00:43:00:00:00:00:ff:05:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:d4:07:c6:9b:50:00:01:00:00:00:00:00:00:00:1e:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:d4:07:c6:9b:50:00
像是一个计数器,每次从C2的每个序列递增,在十进制0XC6和0XC7之间开始发生变化,直到22:06时,变化值为:
01:00:00:00:43:00:00:00:00:1d:06:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:73:ee:ed:f5:58:1b:01:00:00:00:00:00:00:00:0c:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:73:ee:ed:f5:58:1b 01:00:00:00:43:00:00:00:00:1e:06:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:7a:e0:22:c7:58:1b:01:00:00:00:00:00:00:00:0c:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:7a:e0:22:c7:58:1b 01:00:00:00:43:00:00:00:00:1f:06:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:0e:11:5f:4a:58:1b:01:00:00:00:00:00:00:00:0c:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:0e:11:5f:4a:58:1b 01:00:00:00:43:00:00:00:00:20:06:00:00:00:00:00:00:01:00:00:00:01:00:00:00:80:3d:84:e6:15:5b:1b:01:00:00:00:00:00:00:00:0c:00:00:00:00:04:00:00:00:04:00:00:10:27:60:ea:ac:f5:a5:8f:ac:f5:a5:8f:00:00:00:00:00:3d:84:e6:15:5b:1b
机器人的回复再次以27字节序列回复,但小数偏移量19现在有一个值,该值在0-2之间:
00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:02:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
内存映像波动图:
Linux_pslist
“disknyp”进程开始运行时间23:45,PID为1241,子进程没有被记录。
Linux_lsof-p1241
“disknyp”进程,PID 1241
linux_proc_maps
/tmp/disknyp的路径就是原先disknyp的路径,在/user/tmp/生成了2个文件,“task.1241.0×8048000.vma”和“task.1241.0×8168000.vma”。
task.1241.0×8048000.vma: 32频率的声音文件,查看里面的代码:
看到字符串“fake.cfg”正式与此恶意软件相关的文件,我试图在文件中找到原来的/tmp目录:
linux_yarascan
让我们用“yarascan”插件,看看是否有在这个图像中的其他地方引用。
我们看到,字符串“fake.cfg”只可以在PID为1241进程“disknyp”找到,再次使用“linux_find_file”插件,我们可以看到“fake.cfg”位于节点0xed9dc088的内容: