catalogue
1. 恶意程序概述 2. 模块分解 3. 通信协议 4. 木马清理
1. 恶意程序概述
AES DDOS客户端恶意程序主要针对router devices(区别于其他针对x86、x64的恶意程序),AES恶意程序客户端基于ARM architecture
Relevant Link:
https://otx.alienvault.com/pulse/55b290e5b45ff508d47ccc10/ http://blog.0day.jp/2015/07/linuxaesddosarm.html https://otx.alienvault.com/pulse/55afa041b45ff56bb994e6ea/ http://blog.malwaremustdie.org/2014/09/reversing-arm-architecture-elf-elknot.html
2. 模块分解
3. 通信协议
1. 心跳包
2. 攻击指令包
def dataReceived(self, data): print "Server said:", data.encode(‘hex‘) dataLen = len(data) if data[0] == ‘\x06‘ and dataLen == 0x1a5: # DDOS # AES Decrpt taskBody = self.AESEncDec(data[0x4:0x1A4], self.key) #extract ip list ipList = self.extractTasks(taskBody) attackType = taskBody[0x184] if attackType == ‘\x01‘: attackType = ‘SYN‘ elif attackType == ‘\x02‘: attackType = ‘UDP‘ elif attackType == ‘\x03‘: attackType = ‘TCP‘ elif attackType == ‘\x04‘: attackType = ‘DNS‘ elif attackType == ‘\x08‘: attackType = ‘CC‘ elif attackType == ‘\x0c‘: attackType = ‘CC SNAIL‘ else: attackType = ‘Unknow‘ for ip in ipList: target_ip = socket.inet_ntoa(struct.pack(‘I‘,socket.htonl(ip[0]))[::-1]) target_url = "" target_port = str(ip[1]) target_attack_type = attackType #save attack info eventReporter.saveAttackEvent(server=self.server, cmd=‘DDOS‘, cmd_desc=target_attack_type, victim_ip=target_ip, victim_port=target_port,victim_url=target_url)
4. 木马清理
Copyright (c) 2016 LittleHann All rights reserved
Linux.BackDoor.AES.DDoS Attack And Defense Analysis
原文:http://www.cnblogs.com/LittleHann/p/5207601.html