catalogue
1. 恶意程序概述 2. 模块分解 3. 通信协议 4. 木马清理
1. 恶意程序概述
0x1: 支持攻击方式
1. DNS_Flood 2. SYN_Flood 3. UDP_Flood 4. UDPS_Flood 5. TCP_Flood(访问指定ip) 6. CC_Flood(访问指定url) 7. CC2_Flood 8. CC3_Flood ..
0x2: 客户端支持架构
1. EM_386 2. EM_x86_64 3. EM_MIPS 4. EM_ARM 5. PE x86 //Written mostly in C/C++ //Debug info often not stripped
0x3: 持久存活能力
1. Killing competing resource consuming processes 2. 注册为服务、自启动 1) /etc/init.d/: startup scripts copied here 2) /etc/cron.<S>: <S> from { hourly, daily, weekly, monthly } 3) A service can be added to /etc/crontab 4) /etc/rc<N>.d/: Symbolic links to startup scripts,<N> is a runlevel indicator (Halt 0; Single-user 1; Multi-user2-5; Reboot 6) 5) Alternatively, path can be added to /etc/rc.local
0x4: 反调试能力
1. In plain form or packed with UPX 2. UPX sometimes modified to avoid unpacking by the original UPX tool 1) Modified magic value 2) Checksums do not match
0x5: Trojan客户端程序分发
1. build ELF malware using a customized builder 1) 上线域名、上线端口可配置化 2) 通信密钥可配置化 2. start Http File Server(HFS), which will be hosting the previously built malicious binaries 1) 架设HSF Server用于提供恶意程序的下载
Relevant Link:
https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/KalnaiHorejsi-VB2015.pdf http://www.digitaltrends.com/computing/mrblack-malware-botnet/ http://blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.html http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 https://www.threatcrowd.org/malware.php?md5=08efb1ffc680abc242f40a0ad72906ba https://www.virustotal.com/en/file/7b5c0ef6d9d38466dedea7ae07b363d5849580f6d0615cf47804f942d1d2034a/analysis/
2. 模块分解
3. 通信协议
def dataReceived(self, data): print "Server said:", data.encode(‘hex‘) dataLen = len(data) if dataLen == 1: #HEART print "HEART" elif dataLen > 500 and data[0] == ‘\x06‘: #DDOS ipList = self.extractIPS(data, data[0x108]) if data[0x108] == ‘\x01‘: attackType = ‘TCP SYN‘ elif data[0x108] == ‘\x02‘: attackType = ‘UDP‘ elif data[0x108] == ‘\x03‘: attackType = ‘ICMP‘ elif data[0x108] == ‘\x04‘: attackType = ‘DNS‘ elif data[0x108] == ‘\x05‘: attackType = ‘CC‘ #save attack info for ip in ipList: target_ip = socket.inet_ntoa(struct.pack(‘I‘,socket.htonl(ip[0]))[::-1]) target_url = "" target_port = str(ip[1]) target_attack_type = attackType print {target_ip, target_url, target_port, target_attack_type} eventReporter.saveAttackEvent(server=self.server, cmd=‘DDOS‘, cmd_desc=target_attack_type, victim_ip=target_ip, victim_port=target_port,victim_url=target_url)
4. 木马清理
Copyright (c) 2016 LittleHann All rights reserved
Linux.BackDoor.MrBlack Attack And Defense Analysis
原文:http://www.cnblogs.com/LittleHann/p/5205026.html