Investigation of Linux.Mirai Trojan family

More documents

Recommendations

Info

28 28 .text:080481B0 .text:080481B0 ; =============== S U B R O U T I N E ======================================= .text:080481B0 .text:080481B0 ; Attributes: noreturn .text:080481B0 .text:080481B0 cmd17 proc near ; CODE XREF: cmd17j .text:080481B0 fillCmdHandlers+2EBo .text:080481B0 jmp short cmd17 .text:080481B0 cmd17 .text:080481B0 endp ; DATA XREF: Other handlers act as follows: void handle(target *t, param *p){ the Trojan receives packet parameters a packet is created for every target yet 1 { for every target if (maskbits
29 29 The getNumberOrDefault function has the following structure: int __cdecl getNumberOrDefault(unsigned __int8 length, param2 *param, char id, int default) It returns the value from the parameter array with the specified id or the value default if the id is not found. Values for the id field: Id Value 0 It is changed depending on the handler and implies either the length of the whole packet or the length of the data. 1 For some types of attacks, it determines whether random data needs to be generated in the packet. 2 ip_header.TOS 3 ip_header.identification 4 ip_header.TTL 5 ip_header.flags
Page 1 and 2: Investigation of Linux.Mirai Trojan
Page 3 and 4: 3 3 Introduction A Trojan for Linux
Page 5 and 6: 5 5 v1[1] = XX; v1[2] = XX; v1[3] =
Page 7 and 8: 7 7 Number Data type Value Purpose
Page 9 and 10: 9 9 .text:08048206 mov ds:Q[ecx*4],
Page 11 and 12: 11 11 .text:0804B03C mov dword ptr
Page 13 and 14: 13 13 .text:0804B1FB push 0 ; flags
Page 15 and 16: 15 15 .text:0804B3C1 call ___libc_w
Page 17 and 18: 17 17 .text:0804B4A4 push eax ; int
Page 19 and 20: 19 19 .text:0804B674 push offset a2
Page 21 and 22: 21 21 .text:0804B529 push 4000h ; i
Page 23 and 24: 23 23 } char * data; Code to initia
Page 25 and 26: 25 25 .text:0804BB16 test bl, bl .t
Page 27: 27 27 setsid(); sleep(time); kill(v
Page 31 and 32: 31 31 v9 = __ROR2__(sport, 8); curr
Page 33 and 34: 33 33 .text:0804AD5E add esp, 18h .
Page 35 and 36: 35 35 .text:0804A50F xor ecx, ecx .
Page 37 and 38: 37 37 In addition, TCP parameters w
Page 39 and 40: 39 39 .text:08048F6D mov eax, [esp+
Page 41 and 42: 41 41 Linux.DDoS.89 SHA1: 846b2d1b0
Page 43 and 44: 43 43 } } else { v8 = 0; while ( ++
Page 45 and 46: 45 45 { } decode(4u); decode(5u); c
Page 47 and 48: 47 47 } else { result = __GI_listen
Page 49 and 50: 49 49 Number Decrypted value Purpos
Page 51 and 52: 51 51 .text:0804C218 push 9 ; sig .
Page 53 and 54: 53 53 Number Value Purpose 16 "zoll
Page 55 and 56: 55 55 Next, the Trojan calculates a

Investigation of Linux.Mirai Trojan family

Create successful ePaper yourself

Delete template?

Save as template?