Sample Analysis Report-3

Sample Analysis Report-3

November 26, 2018 | Adeline Zhang

1 Sample Introduction

1.1 Sample Type

The sample is a Trojan, which belongs to the Tsunami family.

1.2 Background

None.

1.3 Target

The sample can affect 64-bit Linux platforms (its cross-compiled versions are likely to affect other platforms).

1.4 Attack Method

The sample executes commands issued by the remote control end in real time to launch DDoS attacks by exploiting user hosts for a period of time.

2 Propagation and Infection

This sample can spread by exploiting vulnerabilities such the weak passwords in the server.

Tsunami is a long-standing family and has various spreading methods.

3 In-depth Analysis

3.1 File Format

i64 (ida pro 6.8 and later)

3.2 Major Functions

[1] Process behavior: The sample enables child processes to receive commands from the remote control end and launch attacks.

[2] Network behavior: The sample receives IRC commands from the remote control end and launch DDoS attacks.

3.3 Launch Mode

The sample can automatically starts up by writing itself into /etc/rc.d/rc.local or /etc/rc.conf.

3.4 Anti-analysis techniques

  1. The sample is packed with the UPX technology.
  2. It calculates the running time of code at certain locations to detect dynamic debugging.
  3. It uses /usr/sbin/sshd to replace the first parameter in the main function (which is supposed to be the execution path) to spoof the ps command.

Before replacement:

After replacement:

3.5 Detailed Analysis

3.5.1 Connecting to the C2 Server

The sample randomly generates an IRC nickname which is in the format of <[Tsuyoi]><random string>.

According to the current time, current process ID, and parent process, the sample picks random content from the user dictionary usr/dict/words. The random string is shorter than 9 bytes.

Then the sample uses TCP to connect to 104.248.231.177:6667 and then sends packets. The packet format is as follows:

3.5.2 C2 Command

The command in the IRC format is: <prefix><command><parameter1><parameter2>…

The format of the prefix is: <colon><#C2 nickname>. Normally, the C2 nickname is saved for the display of errors. If the received command is found not to contain the nickname in the prefix, the nickname will be displayed as an asterisk (*).

If the format of the command sent by the remote control end is incorrect, the sample will send the correct command format as a reminder, with the C2 nickname shown in the prefix format.

The C2 function is saved as a form in the format of <command category name – functional function>.

Privmsg falls into four types of subcommands.

       The following table lists all commands.

Command Category Subcommand Function
352 None Saves IP information sent by the remote control end.
376 None Echoes Mode, JOIN, and WHO information, indicating which Internet Relay Chat (IRC) channel to join.
433 None Changes the current nickname.
422 Same as 376
Privmsg +std UDP flood DDOS
+stop Kills its own child processes.
+unknown Launches a UDP flood DDoS attack against a random port.
Kkt9x4JApM0RuSqCLA Kills processes in the same group.
Ping None Echoes PONG for heartbeat.

3.5.3 352, 376, 433, and 422

The complete format of command 352 is as follows:

:#C2 nickname 352 p1 p2 p3 p4_ip p5 p6_nickname

Currently, we have no knowledge about all parameter meanings. However, there must be six parameters. If the sixth parameter is confirmed to be the nickname of the zombie computer, the fourth parameter will be saved. The fourth parameter is an IPv4 address, which is not handled by the sample. This is possibly because that the sample has not been fully developed yet.

Commands 376 and 433 do not have parameters, and parameters 422 and 376 have the same function.

3.5.4 PRIVMSG

This command is used to launch UDP flood DDoS attacks. Its standard format is as follows:

:#C2 nickname PRIVMSG  #Tsuyoi :>wildcard string +std parameter 1 parameter 2 ……

The wildcard string is used to match against the zombie nickname. Characters B, O, T, b, o, and t indicate that match against one or more characters, which is equivalent to an asterisk (*). The character ? is used to match against one character.

The complete formats of subcommands are as follows:

  • +std

:#C2 nickname PRIVMSG #Tsuyoi :> wildcard string +std <target IP> <port> <attack duration (in seconds)>

This command launches a UDP flood DDoS attack against the target and shows the start information before the attack and completion information after the attack.

  • +stop

:#C2 nickname PRIVMSG #Tsuyoi :> wildcard string + stop

This command kills ongoing child processes. These child processes are those enabled by commands +std and +unknown for launching DDoS attacks.

  • +unknown

<:#C2 nickname PRIVMSG #Tsuyoi :> wildcard string +unknown <target IP> <attack duration>

This command launches a UDP flood DDoS attack against a random port of the target and echoes the start information before the attack and complete information after the attack.

  • Kkt9x4JApM0RuSqCLA

:#C2 nickname PRIVMSG #Tsuyoi :>wildcard string Kkt9x4JApM0RuSqCLA

If <#C2 nickname> is displayed as “Fine”, the sample kills all processes in its group. Otherwise, it returns related information to the remote control end.

3.5.5 Ping

The format of the command is: <:C2 nickname> Ping.

This command directs the zombie to return “PONG Ping” to the remote control end as a response to the ping command.

4 Attack Location

The sever used by the sample to obtain the C2 address is 104.248.231.177, located in the USA.

5 IoC Output

6 Hardcoded IP and Domain Name

104.248.231.177

7 Signature for Detection/Detection Script (Optional)

8 References

  • hxxps://www.alien.net.au/irc/irc2numerics.html
  • hxxps://tools.ietf.org/html/rfc1459#page-37