1 Sample Introduction
1.1 Sample Type
The sample is a Trojan, which belongs to the Tsunami family.
1.2 Background
None.
1.3 Target
The sample can affect 64-bit Linux platforms (its cross-compiled versions are likely to affect other platforms).
1.4 Attack Method
The sample executes commands issued by the remote control end in real time to launch DDoS attacks by exploiting user hosts for a period of time.
2 Propagation and Infection
This sample can spread by exploiting vulnerabilities such the weak passwords in the server.
Tsunami is a long-standing family and has various spreading methods.
3 In-depth Analysis
3.1 File Format
i64 (ida pro 6.8 and later)
3.2 Major Functions
[1] Process behavior: The sample enables child processes to receive commands from the remote control end and launch attacks.
[2] Network behavior: The sample receives IRC commands from the remote control end and launch DDoS attacks.
3.3 Launch Mode
The sample can automatically starts up by writing itself into /etc/rc.d/rc.local or /etc/rc.conf.
3.4 Anti-analysis techniques
- The sample is packed with the UPX technology.
- It calculates the running time of code at certain locations to detect dynamic debugging.
- It uses /usr/sbin/sshd to replace the first parameter in the main function (which is supposed to be the execution path) to spoof the ps command.
Before replacement:
After replacement:
3.5 Detailed Analysis
3.5.1 Connecting to the C2 Server
The sample randomly generates an IRC nickname which is in the format of <[Tsuyoi]><random string>.
According to the current time, current process ID, and parent process, the sample picks random content from the user dictionary usr/dict/words. The random string is shorter than 9 bytes.
Then the sample uses TCP to connect to 104.248.231.177:6667 and then sends packets. The packet format is as follows:
3.5.2 C2 Command
The command in the IRC format is: <prefix><command><parameter1><parameter2>…
The format of the prefix is: <colon><#C2 nickname>. Normally, the C2 nickname is saved for the display of errors. If the received command is found not to contain the nickname in the prefix, the nickname will be displayed as an asterisk (*).
If the format of the command sent by the remote control end is incorrect, the sample will send the correct command format as a reminder, with the C2 nickname shown in the prefix format.
The C2 function is saved as a form in the format of <command category name – functional function>.
Privmsg falls into four types of subcommands.
The following table lists all commands.
| Command Category | Subcommand | Function |
| 352 | None | Saves IP information sent by the remote control end. |
| 376 | None | Echoes Mode, JOIN, and WHO information, indicating which Internet Relay Chat (IRC) channel to join. |
| 433 | None | Changes the current nickname. |
| 422 | Same as 376 | |
| Privmsg | +std | UDP flood DDOS |
| +stop | Kills its own child processes. | |
| +unknown | Launches a UDP flood DDoS attack against a random port. | |
| Kkt9x4JApM0RuSqCLA | Kills processes in the same group. | |
| Ping | None | Echoes PONG for heartbeat. |
3.5.3 352, 376, 433, and 422
The complete format of command 352 is as follows:
:#C2 nickname 352 p1 p2 p3 p4_ip p5 p6_nickname
Currently, we have no knowledge about all parameter meanings. However, there must be six parameters. If the sixth parameter is confirmed to be the nickname of the zombie computer, the fourth parameter will be saved. The fourth parameter is an IPv4 address, which is not handled by the sample. This is possibly because that the sample has not been fully developed yet.
Commands 376 and 433 do not have parameters, and parameters 422 and 376 have the same function.
3.5.4 PRIVMSG
This command is used to launch UDP flood DDoS attacks. Its standard format is as follows:
:#C2 nickname PRIVMSG #Tsuyoi :>wildcard string +std parameter 1 parameter 2 ……
The wildcard string is used to match against the zombie nickname. Characters B, O, T, b, o, and t indicate that match against one or more characters, which is equivalent to an asterisk (*). The character ? is used to match against one character.
The complete formats of subcommands are as follows:
- +std
:#C2 nickname PRIVMSG #Tsuyoi :> wildcard string +std <target IP> <port> <attack duration (in seconds)>
This command launches a UDP flood DDoS attack against the target and shows the start information before the attack and completion information after the attack.
- +stop
:#C2 nickname PRIVMSG #Tsuyoi :> wildcard string + stop
This command kills ongoing child processes. These child processes are those enabled by commands +std and +unknown for launching DDoS attacks.
- +unknown
<:#C2 nickname PRIVMSG #Tsuyoi :> wildcard string +unknown <target IP> <attack duration>
This command launches a UDP flood DDoS attack against a random port of the target and echoes the start information before the attack and complete information after the attack.
- Kkt9x4JApM0RuSqCLA
:#C2 nickname PRIVMSG #Tsuyoi :>wildcard string Kkt9x4JApM0RuSqCLA
If <#C2 nickname> is displayed as “Fine”, the sample kills all processes in its group. Otherwise, it returns related information to the remote control end.
3.5.5 Ping
The format of the command is: <:C2 nickname> Ping.
This command directs the zombie to return “PONG Ping” to the remote control end as a response to the ping command.
4 Attack Location
The sever used by the sample to obtain the C2 address is 104.248.231.177, located in the USA.
5 IoC Output
6 Hardcoded IP and Domain Name
104.248.231.177
7 Signature for Detection/Detection Script (Optional)
8 References
- hxxps://www.alien.net.au/irc/irc2numerics.html
- hxxps://tools.ietf.org/html/rfc1459#page-37
