You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The contains a value between CSubTask.dwStartIP and CSubTask.dwEndIP,<br />
incremented by one for each subsequent packet transmitted. The value of ,<br />
similarly, is between CSubTask.wStartPort and CSubTask.wEndPort, incremented by one for each<br />
new packet. If or exceed CSubTask.dwEndIP or<br />
CSubTask.wEndPort, respectively, their values begin again at CSubTask.dwStartIP and CSubTask.<br />
wStartPort, respectively. The value originates from the CSubTask.dwTargetIP values.<br />
Each time that the CThreadAttack::PktAtk issues a CSubTask.taskType = 0x83 attack,<br />
CThreadAttack::PktAtk will mutate a single randomly generated subdomain name by a single<br />
character by calling CThreadAttack::DomainRandEx. CThreadAttack::DomainRandEx will randomly<br />
select a character within the outer level subdomain and replace it with a letter or number in the string<br />
“abcdefghijklmnopqrstuvwxyz0123456789”.<br />
Once constructed, CThreadAttack::PktAtk transmits the entire UDP/IP packet with DNS<br />
query datagram to the specified DNS by calling CNetBase::Sendto. The use of a raw socket<br />
and CNetBase::Sendto means that Variant B sends a true spoofed packet instead of a UDP/<br />
IP encapsulated UDP/IP packet. After transmitting the request, CThreadAttack::PktAtk will<br />
immediately generate another datagram in the same manner and repeat the process continuously<br />
until the termination signal occurs or the attack’s specified duration has been met.<br />
2.4.2.5 CSubTask.taskType = 0x84: DNS AMPLIFICATION<br />
CSubTask.taskType = 0x84 attacks generate a UDP/IP packet consistent with the type of packet<br />
found in a DNS amplification attack. Variant B’s CThreadAttack::PktAtk generates the exact same<br />
packet, using the exact same IP and port value generation, as Variant A for the DNS amplification<br />
attack as defined in Section 2.4.1.5.<br />
Once constructed, CThreadAttack::PktAtk transmits the entire UDP/IP packet with DNS<br />
query datagram to the specified DNS by calling CNetBase::Sendto. The use of a raw socket<br />
and CNetBase::Sendto means that Variant B sends a true spoofed packet instead of a UDP/<br />
IP encapsulated UDP/IP packet. After transmitting the request, CThreadAttack::PktAtk will<br />
immediately generate another datagram in the same manner and repeat the process continuously<br />
until the termination signal occurs or the attack’s specified duration has been met.<br />
3. BILLGATES MALWARE ANALYSIS<br />
Source Sample SHA-256:<br />
b11a6bd1bcbb759252fb252ee1122b68d44dcc275919cf95af429721767c040a<br />
edb59ca2fdbf2afb45755fa307f4274b0029b7a80b62fb13895574894bc17205<br />
f018976240911e5eb6bb7051fc2a4590a480a61e744f57e69e63880ffc84aea3<br />
The BillGates malware 9 is the big brother of the Elknot payload malware. Like the Elknot payload<br />
malware, the BillGates malware is a gcc-compiled binary with the runtime library statically linked and<br />
with the function names intact. According to the information present within the binary, BillGates is<br />
made up of 39 C++ files. Many of the files within BillGates mirror Elknot source code files, as seen in<br />
the following table mapping the source code files of BillGates to Elknot’s, in order of compilation.<br />
9<br />
ValdikSS. “Исследуем Linux Botnet «BillGates»” http://habrahabr.ru/post/213973/ 26 February 2014<br />
THE ELASTIC BOTNET REPORT 25