Overview
On August 2, 2017, ANTIY discovered a new DDoS trojan and dubbed it Moyou. After obtaining the related sample, NSFOCUS conducted a detailed analysis of the trojan.
Sample Analysis
The following figure shows the detection result of NSFOCUS Threat Analysis Center (TAC).
The sample obtains the C&C server address (www.linux288.com) by reading data from the resource section.
The sample obtains host information, including the CPU information, memory information, host name, and operating system information, and sends such information to the C&C server as a registration package for online operations. Subsequently the trojan can receive attack instructions from the C&C server. By the time this analysis was performed, the abovementioned C&C server address had been invalid and could not be connected to.
According to ANTIY’s report, the packet captured when the server was active reveals that the instruction was crafted in a specific format and sent in plaintext, as shown in the following figure.
After receiving the instruction list, the sample parses the instruction as per the specified format.
The preliminary analysis finds that the client sends the first five bytes, used to indicate its own status, to the C&C server. When finding that the format of data received is incorrect, the server sends 04 00 00 00 00 to the client as a response.
Detection Method
Local and Network Detection
- Check suspicious startup items.
- Check connectivity to the C&C server (www.linux288.com).
Network device filtering rule (if the C&C server is active, the check can be performed against the registration package):
- With the offset of 0, the first five bytes are 02 be 00 00 00.
- Check whether this string is contained: linux2883:veri20170630ee.
NSFOCUS Detection Services
- NSFOCUS engineers provide onsite detection services.
- NSFOCUS online cloud detection: You can log in to NSFOCUS Cloud to apply for a trial use of the scanning service.
NSFOCUS Solutions for Removing Trojans
- Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC). to ensure that risk points are immediately eliminated from the network and the event impact is minimized. After the handling, an event analysis report is provided.
- Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to eradicate risks and prevent events from recurring.
- Long-term service: NSFOCUS provides risk solutions for the fund industry (threat intelligence, attack source traceback, and professional security services).