Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The CStatBase class captures information about the victim machine including:<br />
1) system version via uname(). This includes the system name and the release info<br />
(from CStatBase::GetSysVersion).<br />
2) the CPU speed via /proc/cpuinfo parsing (from CStatBase::GetCpuSpd)<br />
3) the number of user mode, niced and kernel processes via /proc/stat parsing<br />
(from CStatBase::InitGetCPUUse and CStatBase::GetCPUUse)<br />
4) network statistics via parsing /proc/net/dev (from CStatBase::InitGetNetUse and<br />
CStatBase::GetNetUse)<br />
The CServerIP class encapsulates the information about a group of C2 servers using an STL map. The<br />
CServerIP class appears to only use one hardcoded IP. The IP address and port are encrypted in the<br />
same manner as found in the dropper (though the dropper never actually decrypts the information).<br />
The encoding scheme is a simple increment or decrement of each byte based on the position of<br />
the byte relative to the starting position. Simply put, starting at byte 0, if the position of the byte<br />
being decrypted is even, the byte is decremented by one; otherwise the byte is incremented by one.<br />
For example, if the encrypted string is “:2/024/77-3/:”, the algorithm translates the string into<br />
93.115.86.209.<br />
After initializing the CStatBase and CServerIP objects, the main loop begins when<br />
CManager::StartNetProcess is invoked. CManager is the encapsulating object for the bulk<br />
of the malware’s operation. Given that the object is static and global, it is initialized by calling<br />
CManager::CManager as part of the __libc_csu_init startup function. As part of the initialization<br />
of the CManager object, various additional classes are instantiated and initialized. Notably, the<br />
CThreadAttack class is instantiated 20 times, but left in an idle state; this object will be further<br />
examined later in this report.<br />
CManager::StartNetProcess begins by calling CFake::Initialize. CFake::Initialize looks for a<br />
file called fake.cfg within the same directory as the malware on the victim’s machine. The fake.cfg<br />
file is a text file containing state information in the following structure:<br />
{decimal number}<br />
{IP Address}:{IP Address}<br />
{Port Number}:{Port Number}<br />
{Remarks}<br />
The CFake object, as seen in memory, takes the following form:<br />
struct CFake<br />
{<br />
std::string strSaveFileName;<br />
CSubTask cLastTaskInfo;<br />
CThreadMutex cAccessLock;<br />
}<br />
The CFake object, at its core, revolves around the CSubTask object. The CSubTask object defines a<br />
specific task (attack) that Elknot is to perform. CSubTask, as will be explained later, is heavily used by<br />
CThreadAttack for directing any given operation defined by the C2 server. The CSubTask object, as<br />
seen in memory, takes the following form:<br />
THE ELASTIC BOTNET REPORT<br />
9