{"id":6347,"date":"2018-11-26T03:31:30","date_gmt":"2018-11-26T03:31:30","guid":{"rendered":"http:\/\/blog.nsfocusglobal.com\/?p=1920"},"modified":"2018-11-26T03:31:30","modified_gmt":"2018-11-26T03:31:30","slug":"sample-analysis-report-3","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/sample-analysis-report-3\/","title":{"rendered":"Sample Analysis Report-3"},"content":{"rendered":"

<\/a><\/a>1 Sample Introduction<\/h1>\n

<\/a><\/a>1.1 Sample Type<\/h2>\n

The sample is a Trojan, which belongs to the Tsunami family.<\/p>\n

<\/a>1.2 Background<\/h2>\n

None.<\/p>\n

<\/a><\/a>1.3 Target<\/h2>\n

<\/a>The sample can affect 64-bit Linux platforms (its cross-compiled versions are likely to affect other platforms).<\/p>\n

<\/a><\/a>1.4 Attack Method<\/h2>\n

The sample executes commands issued by the remote control end in real time to launch DDoS attacks by exploiting user hosts for a period of time.<\/p>\n

<\/a><\/a>2 Propagation and Infection<\/h1>\n

<\/a>This sample can spread by exploiting vulnerabilities such the weak passwords in the server.<\/p>\n

Tsunami is a long-standing family and has various spreading methods.<\/p>\n

<\/a><\/a>3 In-depth Analysis<\/h1>\n

<\/a><\/a>3.1 File Format<\/h2>\n

i64 (ida pro 6.8 and later)<\/p>\n

<\/a><\/a>3.2 Major Functions<\/h2>\n

<\/a>[1] Process behavior<\/strong>: The sample enables child processes to receive commands from the remote control end and launch attacks.<\/p>\n

[2] Network behavior<\/strong>: The sample receives IRC commands from the remote control end and launch DDoS attacks.<\/p>\n

<\/a>3.3 Launch Mode<\/h2>\n

The sample can automatically starts up by writing itself into \/etc\/rc.d\/rc.local or \/etc\/rc.conf.<\/p>\n

<\/a>3.4 Anti-analysis techniques<\/h2>\n
    \n
  1. The sample is packed with the UPX technology.<\/li>\n
  2. It calculates the running time of code at certain locations to detect dynamic debugging.<\/li>\n
  3. It uses \/usr\/sbin\/sshd to replace the first parameter in the main function (which is supposed to be the execution path) to spoof the ps command.<\/li>\n<\/ol>\n

    Before replacement:<\/p>\n

    \"\"<\/p>\n

    After replacement:<\/p>\n

    \"\"<\/p>\n

    <\/a><\/a><\/a>3.5 Detailed Analysis<\/h2>\n

    <\/a>3.5.1 Connecting to the C2 Server<\/h3>\n

    The sample randomly generates an IRC nickname which is in the format of <[Tsuyoi]><random string>.<\/p>\n

    According to the current time, current process ID, and parent process, the sample picks random content from the user dictionary usr\/dict\/words. The random string is shorter than 9 bytes.<\/p>\n

    Then the sample uses TCP to connect to 104.248.231.177:6667 and then sends packets. The packet format is as follows:<\/p>\n

    \"\"<\/p>\n

    \"\"<\/p>\n

    \"\"<\/p>\n

    <\/a><\/a>3.5.2 C2 Command<\/h3>\n

    The command in the IRC format is: <prefix><command><parameter1><parameter2>\u2026<\/p>\n

    The format of the prefix is: <colon><#C2 nickname>. Normally, the C2 nickname is saved for the display of errors. If the received command is found not to contain the nickname in the prefix, the nickname will be displayed as an asterisk (*).<\/p>\n

    If the format of the command sent by the remote control end is incorrect, the sample will send the correct command format as a reminder, with the C2 nickname shown in the prefix format.<\/p>\n

    The C2 function is saved as a form in the format of <command category name \u2013 functional function>.<\/p>\n

    \"\"<\/p>\n

    Privmsg falls into four types of subcommands.<\/p>\n

    \"\"<\/p>\n

    \"\"<\/p>\n

    \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The following table lists all commands.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    Command Category<\/td>\nSubcommand<\/td>\nFunction<\/td>\n<\/tr>\n<\/thead>\n
    352<\/td>\nNone<\/td>\nSaves IP information sent by the remote control end.<\/td>\n<\/tr>\n
    376<\/td>\nNone<\/td>\nEchoes Mode<\/strong>, JOIN<\/strong>, and WHO<\/strong> information, indicating which Internet Relay Chat (IRC) channel to join.<\/td>\n<\/tr>\n
    433<\/td>\nNone<\/td>\nChanges the current nickname.<\/td>\n<\/tr>\n
    422<\/td>\nSame as 376<\/td>\n<\/tr>\n
    Privmsg<\/td>\n+std<\/td>\nUDP flood DDOS<\/td>\n<\/tr>\n
    +stop<\/td>\nKills its own child processes.<\/td>\n<\/tr>\n
    +unknown<\/td>\nLaunches a UDP flood DDoS attack against a random port.<\/td>\n<\/tr>\n
    Kkt9x4JApM0RuSqCLA<\/td>\nKills processes in the same group.<\/td>\n<\/tr>\n
    Ping<\/td>\nNone<\/td>\nEchoes PONG for heartbeat.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    <\/a><\/a>3.5.3 352, 376, 433, and 422<\/h3>\n

    The complete format of command 352 is as follows:<\/p>\n

    :#C2 nickname 352 p1 p2 p3 p4_ip p5 p6_nickname<\/p>\n

    <\/a>Currently, we have no knowledge about all parameter meanings. However, there must be six parameters. If the sixth parameter is confirmed to be the nickname of the zombie computer, the fourth parameter will be saved. The fourth parameter is an IPv4 address, which is not handled by the sample. This is possibly because that the sample has not been fully developed yet.<\/p>\n

    Commands 376 and 433 do not have parameters, and parameters 422 and 376 have the same function.<\/p>\n

    <\/a>3.5.4 PRIVMSG<\/h3>\n

    This command is used to launch UDP flood DDoS attacks. Its standard format is as follows:<\/p>\n

    :#C2 nickname PRIVMSG\u00a0 #Tsuyoi :>wildcard string +std parameter 1 parameter 2 \u2026\u2026<\/p>\n

    The wildcard string is used to match against the zombie nickname. Characters B, O, T, b, o, and t indicate that match against one or more characters, which is equivalent to an asterisk (*). The character ? is used to match against one character.<\/p>\n

    The complete formats of subcommands are as follows:<\/p>\n