Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Forum for analysis and discussion about malware.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/Elknot (DDoS botnet, alias DnsAmp)

Post by unixfreaxjp » Sat Sep 13, 2014 2:22 pm

I shared 4 samples I spotted circulated in the past 5 days, all with beautiful detection ratio (read: low, like 1 or 2)
https://www.virustotal.com/en/file/afec ... 410525547/
https://www.virustotal.com/en/file/bfda ... 410612241/
https://www.virustotal.com/en/file/586c ... 410247586/
https://www.virustotal.com/en/file/cb4a ... 410613011/

Code: Select all

Size:  Name:    Arc    Packer Released DL*) CNC
-------------------------------------------------------
411824 dows2.4* ELFx32 packed Sept 01  779  120.210.204.102
416604 szusk*   ELFx32 packed Sept 01  74   120.210.204.102
416580 shyen*   ELFx32 packed Sept 12  54   222.186.30.239
411936 uhdyp*   ELFx32 packed Sept 12  82   222.186.30.239 
*) DL=download times could be by infection, researchers, or crooks them selves

Downloads config:

Code: Select all

00000000  4b 01 00 00 3d 1f 01 01  a8 5f 01 01 d3 62 04 01  |K...=...._...b..|
00000010  3d b1 07 01 3d 93 25 01  d3 a2 3e 01 ca 26 40 01  |=...=.%...>..&@.|
00000020  ca c4 40 01 d3 5f 48 01  d3 8a 5b 01 db eb 7f 01  |..@.._H...[.....|
00000030  d3 4e 82 01 da 02 87 01  a8 5f c0 01 3d 1f e9 01  |.N......._..=...|
00000040  d2 2a f1 01 dd e4 ff 01  3a f2 02 02 ca 65 06 02  |.*......:....e..|
00000050  da c9 11 02 da 68 4e 02  dd 0b 84 02 d3 8a b4 02  |.....hN.........|
00000060  d3 8b 01 03 ca af 03 03  d3 93 06 03 3d bb 62 03  |............=.b.|
00000070  da cb 65 03 ca 66 98 03  ca 66 9a 03 d3 a1 9f 03  |..e..f...f......|
00000080  dc a8 d0 03 3d 3c e0 03  3d 86 01 04 d3 62 02 04  |....=<..=....b..|
00000090  ca 0e 43 04 ca 63 a6 04  ca 75 60 05 de 2e 78 05  |..C..c...u`...x.|
000000a0  d3 89 a0 05 ca 60 d1 05  3d 3c e0 05 3c bf f4 05  |.....`..=<..<...|
000000b0  3d ea fe 05 dd b0 04 06  77 06 06 06 ca 61 07 06  |=.......w....a..|
000000c0  3d bb 62 06 d3 8a a4 06  d2 15 c4 06 dc a8 d0 06  |=.b.............|
000000d0  ca 72 f0 06 d3 62 48 07  ca af 03 08 ca 63 a8 08  |.r...bH......c..|
000000e0  ca 64 c7 08 ca 63 e0 08  ca 3c fc 08 dd b0 04 09  |.d...c...<......|
000000f0  3d e9 09 09 cb 50 60 09  ca 71 10 0a dd 07 22 0a  |=....P`..q....".|
00000100  ca 75 60 0a ca 70 70 0a  db 8d 88 0a db 8d 8c 0a  |.u`..pp.........|
00000110  65 2f bd 0a ca 71 10 0b  dd 03 83 0b d3 a1 9e 0b  |e/...q..........|
00000120  dd b0 04 0c 3d eb a4 0d  ca 0e 43 0e dd b0 04 0f  |....=.....C.....|
00000130  ca 60 68 0f ca 60 9a 0f  8b af fc 10 ca 61 07 11  |.`h..`.......a..|
00000140  d3 8b 02 12 dd b0 04 12  ca 60 56 12 cb 8e 64 12  |.........`V...d.|
00000150  3d eb a4 12 65 2f bd 12  d3 8a f2 12 b4 a8 ff 12  |=...e/..........|
00000160  d3 8a 6a 13 ca 6a 00 14  dd 07 01 14 8b af 0a 14  |..j..j..........|
00000170  cb ba 5e 14 8b af 96 14  dd b0 04 15 cb 8e 64 15  |..^...........d.|
00000180  ca 67 b0 16 71 6f d3 16  ca 60 68 1a ca 60 6b 1b  |.g..qo...`h..`k.|
00000190  d3 62 79 1b ca 76 01 1d  dd e8 81 1e ca 70 90 1e  |.by..v.......p..|
000001a0  ca 55 80 20 3a f0 39 21  ca c1 40 21 3d ec 5d 21  |.U. :.9!..@!=.]!|
000001b0  ca cb 80 21 ca 60 86 21  ca cb 90 21 ca cb a0 21  |...!.`.!...!...!|
000001c0  d2 26 c0 21 ca cb c0 21  ca cb d0 21 ca cb e0 21  |.&.!...!...!...!|
000001d0  ca 66 18 22 d3 8b 49 22  d3 89 f1 22 3d 82 fe 22  |.f."..I"..."=.."|
000001e0  ca 73 20 24 ca 60 67 24  db 8d 94 25 ca 60 45 26  |.s $.`g$...%.`E&|
000001f0  ca 73 20 27 db 8d 94 27  de 2d 01 28 da 1e 13 28  |.s '...'.-.(...(|
00000200  db ef 1a 2a 3a f1 d0 2e  ca 60 90 2f da 1e 13 32  |...*:....`./...2|
00000210  d3 88 70 32 76 1d f9 32  dd 82 21 34 ca 76 01 35  |..p2v..2..!4.v.5|
00000220  76 1d f9 36 70 04 00 37  ca 65 62 37 db 95 c2 37  |v..6p..7.eb7...7|
00000230  ca 2d 54 3a d3 8c c5 3a  dd 82 21 3c d3 a2 3e 3c  |.-T:...:..!<..><|
00000240  3d e9 09 3d d3 5a 48 41  d3 5a 50 41 d3 61 60 41  |=..=.ZHA.ZPA.a`A|
00000250  db 92 01 42 db 93 01 42  dd 06 04 42 3d 8b 36 42  |...B...B...B=.6B|
00000260  dd 04 42 42 3a 16 60 42  d3 88 96 42 d3 8a 9c 42  |..BB:.`B...B...B|
00000270  ca 63 c0 42 db 94 cc 42  ca 2d 54 43 ca 62 c0 43  |.c.B...B.-TC.b.C|
00000280  ca 63 e0 43 ca 62 00 44  ca 67 00 44 ca 62 05 44  |.c.C.b.D.g.D.b.D|
00000290  ca 67 18 44 d3 8b 1d 44  ca 60 40 44 dc aa 40 44  |.g.D...D.`@D..@D|
000002a0  ca 60 4b 44 d3 8d 5a 44  ca 60 60 44 ca 62 60 44  |.`KD..ZD.``D.b`D|
000002b0  ca 63 60 44 ca 64 60 44  ca 63 68 44 dd 07 80 44  |.c`D.d`D.chD...D|
000002c0  ca 60 80 44 ca 66 80 44  3d 80 80 44 ca 66 86 44  |.`.D.f.D=..D.f.D|
000002d0  dd 07 88 44 ca 63 a0 44  3d 84 a3 44 ca 63 c0 44  |...D.c.D=..D.c.D|
000002e0  ca 64 c0 44 ca 66 c0 44  3d 80 c0 44 ca 6a c3 44  |.d.D.f.D=..D.j.D|
000002f0  ca 66 c7 44 de ac c8 44  ca 66 d5 44 ca 61 e0 44  |.f.D...D.f.D.a.D|
00000300  ca 62 e0 44 ca 65 e0 44  ca 66 e0 44 ca 67 e0 44  |.b.D.e.D.f.D.g.D|
00000310  ca 67 e1 44 ca 65 e2 44  ca 66 e3 44 3d 8b 02 45  |.g.D.e.D.f.D=..E|
00000320  dd 83 8f 45 d3 8a c8 45  dd b0 03 46 dd b0 03 49  |...E...E...F...I|
00000330  3d 8b 27 49 dd b0 03 4c  dd b0 03 4f de f6 81 50  |=.'I...L...O...P|
00000340  d3 5d 00 51 de f3 81 51  d3 5c 88 51 dd b0 03 53  |.].Q...Q.\.Q...S|
00000350  dd b0 03 55 de 55 55 55  ca 65 6b 55 dd 07 5c 56  |...U.UUU.ekU..\V|
00000360  ca 60 80 56 dd 05 cb 56  dd 05 58 58 de 58 58 58  |.`.V...V..XX.XXX|
00000370  ca 66 07 5a dd 05 cb 5a  de 2f 1d 5d d3 5f 01 61  |.f.Z...Z./.]._.a|
00000380  d3 5f c1 61 3d eb 46 62  dd 07 5c 62 dd 05 cb 62  |._.a=.Fb..\b...b|
00000390  d3 8e d2 62 db 95 06 63  d3 8d 10 63 da 55 98 63  |...b...c...c.U.c|
000003a0  da 55 9d 63 dd 82 20 64  70 64 64 64 da 4c c0 64  |.U.c.. dpddd.L.d|
000003b0  d3 8e d2 64 d3 8a f0 64  d3 67 0d 65 3d a6 96 65  |...d...d.g.e=..e|
000003c0  ca 66 c8 65 dd 82 20 67  da 68 20 6a dd 82 20 6a  |.f.e.. g.h j.. j|
000003d0  da 68 80 6a d3 88 11 6b  dd 82 20 6d de 2d 00 6e  |.h.j...k.. m.-.n|
000003e0  7c cf a0 6e ca 67 60 70  ca 67 f3 70 da 68 6f 72  ||..n.g`p.g.p.hor|
000003f0  72 72 72 72 da 6a 7f 72  72 72 73 73 ca 6a c4 73  |rrrr.j.rrrss.j.s|
00000400  ca 67 00 75 74 e4 6f 76  da 68 6f 7a da 6a 7f 7a  |.g.ut.ov.hoz.j.z|
00000410  d3 8a 4b 7b 3d a6 96 7b  da 59 00 7c d3 5d 18 81  |..K{=..{.Y.|.]..|
00000420  3d a6 19 81 d3 5d 40 81  d3 61 40 81 d3 5b 58 81  |=....]@..a@..[X.|
00000430  de 4b 98 81 3d 0a 00 82  3d 0a 01 82 d2 15 04 82  |.K..=...=.......|
00000440  da ca 98 82 db 96 20 84  3d 80 72 85 ca 60 86 85  |...... .=.r..`..|
00000450  ca 60 d1 85 3d a6 96 8b  da 06 c8 8b d2 15 03 8c  |.`..=...........|
00000460  ca 66 03 8d ca 66 08 8d  ca 66 09 8d de 2f 3e 8e  |.f...f...f.../>.|
00000470  ca 66 03 90 d3 8b 1d 96  ca 67 2c 96 ca 6a 2e 97  |.f.......g,..j..|
00000480  d3 5c 90 a1 d3 8a 97 a1  de 34 76 a2 3d 80 72 a6  |.\.......4v.=.r.|
00000490  ca 60 80 a6 ca 62 c6 a7  d3 8b 1d aa a8 5f c0 ae  |.`...b......._..|
000004a0  d3 89 20 b2 d3 8a f5 b4  d3 89 a0 b9 d2 c8 d3 c1  |.. .............|
000004b0  d3 8a 91 c2 da cb a0 c2  dd 82 fc c8 3b 33 4e d2  |............;3N.|
000004c0  ca 6a c4 d4 da 6c f8 db  de de de de d3 a2 3d e1  |.j...l........=.|
000004d0  d2 c8 d3 e1 dd 0c 01 e3  dd 0c 21 e3 ca 6a c4 e4  |..........!..j..|
000004e0  77 e9 ff e4 ca 6a c4 e6  db 93 c6 e6 d3 88 1c e7  |w....j..........|
000004f0  ca 6a c4 e8 d3 88 1c ea  7c a1 61 ea d3 a2 3d eb  |.j......|.a...=.|
00000500  d3 88 1c ed ca 6a c4 ed  7c a1 61 ee de dd 05 f0  |.....j..|.a.....|
00000510  7a 48 21 f0 cb ba 5e f1  ca 72 00 f2 7c a1 61 f2  |zH!...^..r..|.a.|
00000520  8b af 37 f4 da 6c f8 f5  db 48 e1 fd d3 a2 3d ff  |..7..l...H....=.|
00000530
This config is the encrypted data of DDoS IP addresses. reformat the hex 0x"XX" --> "\XX" <-- encrypted IP address list. See below data while seeing the above hex.

Code: Select all

read(3, "K\1\0\0", 4)         
read(3, "=\37\1\1", 4)        
read(3, "\250_\1\1", 4)       
read(3, "\323b\4\1", 4)       
read(3, "=\261\7\1", 4)       
read(3, "=\223%\1", 4)        
read(3, "\323\242>\1", 4)     
read(3, "\312&@\1", 4)        
read(3, "\312\304@\1", 4)     
read(3, "\323_H\1", 4)        
read(3, "\323\212[\1", 4)     
read(3, "\333\353\177\1", 4)  
read(3, "\323N\202\1", 4)     
read(3, "\332\2\207\1", 4)    
read(3, "\250_\300\1", 4)     
read(3, "=\37\351\1", 4)      
read(3, "\322*\361\1", 4)     
read(3, "\335\344\377\1", 4)  
read(3, ":\362\2\2", 4)       
read(3, "\312e\6\2", 4)       
read(3, "\332\311\21\2", 4)   
read(3, "\332hN\2", 4)        
read(3, "\335\v\204\2", 4)    
read(3, "\323\212\264\2", 4)  
read(3, "\323\213\1\3", 4)    
read(3, "\312\257\3\3", 4)    
read(3, "\323\223\6\3", 4)    
read(3, "=\273b\3", 4)        
read(3, "\332\313e\3", 4)     
read(3, "\312f\230\3", 4)     
read(3, "\312f\232\3", 4)     
read(3, "\323\241\237\3", 4)  
read(3, "\334\250\320\3", 4)  
read(3, "=<\340\3", 4)        
read(3, "=\206\1\4", 4)       
read(3, "\323b\2\4", 4)       
read(3, "\312\16C\4", 4)      
read(3, "\312c\246\4", 4)     
read(3, "\312u`\5", 4)        
read(3, "\336.x\5", 4)        
read(3, "\323\211\240\5", 4)  
read(3, "\312`\321\5", 4)     
read(3, "=<\340\5", 4)        
read(3, "<\277\364\5", 4)     
read(3, "=\352\376\5", 4)     
read(3, "\335\260\4\6", 4)    
read(3, "w\6\6\6", 4)         
read(3, "\312a\7\6", 4)       
read(3, "=\273b\6", 4)        
read(3, "\323\212\244\6", 4)  
read(3, "\322\25\304\6", 4)   
read(3, "\334\250\320\6", 4)  
read(3, "\312r\360\6", 4)     
read(3, "\323bH\7", 4)        
read(3, "\312\257\3\10", 4)   
read(3, "\312c\250\10", 4)    
read(3, "\312d\307\10", 4)    
read(3, "\312c\340\10", 4)    
read(3, "\312<\374\10", 4)    
read(3, "\335\260\4\t", 4)    
read(3, "=\351\t\t", 4)       
read(3, "\313P`\t", 4)        
read(3, "\312q\20\n", 4)      
read(3, "\335\7\"\n", 4)      
read(3, "\312u`\n", 4)        
read(3, "\312pp\n", 4)        
read(3, "\333\215\210\n", 4)  
read(3, "\333\215\214\n", 4)  
read(3, "e/\275\n", 4)        
read(3, "\312q\20\v", 4)      
read(3, "\335\3\203\v", 4)    
read(3, "\323\241\236\v", 4)  
read(3, "\335\260\4\f", 4)    
read(3, "=\353\244\r", 4)     
read(3, "\312\16C\16", 4)     
read(3, "\335\260\4\17", 4)   
read(3, "\312`h\17", 4)       
read(3, "\312`\232\17", 4)    
read(3, "\213\257\374\20", 4) 
read(3, "\312a\7\21", 4)      
read(3, "\323\213\2\22", 4)   
read(3, "\335\260\4\22", 4)   
read(3, "\312`V\22", 4)       
read(3, "\313\216d\22", 4)    
read(3, "=\353\244\22", 4)    
read(3, "e/\275\22", 4)       
read(3, "\323\212\362\22", 4) 
read(3, "\264\250\377\22", 4) 
read(3, "\323\212j\23", 4)    
read(3, "\312j\0\24", 4)      
read(3, "\335\7\1\24", 4)     
read(3, "\213\257\n\24", 4)   
read(3, "\313\272^\24", 4)    
read(3, "\213\257\226\24", 4) 
read(3, "\335\260\4\25", 4)   
read(3, "\313\216d\25", 4)    
read(3, "\312g\260\26", 4)    
read(3, "qo\323\26", 4)       
read(3, "\312`h\32", 4)       
read(3, "\312`k\33", 4)       
read(3, "\323by\33", 4)       
read(3, "\312v\1\35", 4)      
read(3, "\335\350\201\36", 4) 
read(3, "\312p\220\36", 4)    
read(3, "\312U\200 ", 4)      
read(3, ":\3609!", 4)         
read(3, "\312\301@!", 4)      
read(3, "=\354]!", 4)         
read(3, "\312\313\200!", 4)   
read(3, "\312`\206!", 4)      
read(3, "\312\313\220!", 4)   
read(3, "\312\313\240!", 4)   
read(3, "\322&\300!", 4)      
read(3, "\312\313\300!", 4)   
read(3, "\312\313\320!", 4)   
read(3, "\312\313\340!", 4)   
read(3, "\312f\30\"", 4)      
read(3, "\323\213I\"", 4)     
read(3, "\323\211\361\"", 4)  
read(3, "=\202\376\"", 4)     
read(3, "\312s $", 4)         
read(3, "\312`g$", 4)         
read(3, "\333\215\224%", 4)   
read(3, "\312`E&", 4)         
read(3, "\312s '", 4)         
read(3, "\333\215\224'", 4)   
read(3, "\336-\1(", 4)        
read(3, "\332\36\23(", 4)     
read(3, "\333\357\32*", 4)    
read(3, ":\361\320.", 4)      
read(3, "\312`\220/", 4)      
read(3, "\332\36\0232", 4)    
read(3, "\323\210p2", 4)      
read(3, "v\35\3712", 4)       
read(3, "\335\202!4", 4)      
read(3, "\312v\0015", 4)      
read(3, "v\35\3716", 4)       
read(3, "p\4\0007", 4)        
read(3, "\312eb7", 4)         
read(3, "\333\225\3027", 4)   
read(3, "\312-T:", 4)         
read(3, "\323\214\305:", 4)   
read(3, "\335\202!<", 4)      
read(3, "\323\242><", 4)      
read(3, "=\351\t=", 4)        
read(3, "\323ZHA", 4)         
read(3, "\323ZPA", 4)         
read(3, "\323a`A", 4)         
read(3, "\333\222\1B", 4)     
read(3, "\333\223\1B", 4)     
read(3, "\335\6\4B", 4)       
read(3, "=\2136B", 4)         
read(3, "\335\4BB", 4)        
read(3, ":\26`B", 4)          
read(3, "\323\210\226B", 4)   
read(3, "\323\212\234B", 4)   
read(3, "\312c\300B", 4)      
read(3, "\333\224\314B", 4)   
read(3, "\312-TC", 4)         
read(3, "\312b\300C", 4)      
read(3, "\312c\340C", 4)      
read(3, "\312b\0D", 4)        
read(3, "\312g\0D", 4)        
read(3, "\312b\5D", 4)        
read(3, "\312g\30D", 4)       
read(3, "\323\213\35D", 4)    
read(3, "\312`@D", 4)         
read(3, "\334\252@D", 4)      
read(3, "\312`KD", 4)         
read(3, "\323\215ZD", 4)      
read(3, "\312``D", 4)         
read(3, "\312b`D", 4)         
read(3, "\312c`D", 4)         
read(3, "\312d`D", 4)         
read(3, "\312chD", 4)         
read(3, "\335\7\200D", 4)     
read(3, "\312`\200D", 4)      
read(3, "\312f\200D", 4)      
read(3, "=\200\200D", 4)      
read(3, "\312f\206D", 4)      
read(3, "\335\7\210D", 4)     
read(3, "\312c\240D", 4)      
read(3, "=\204\243D", 4)      
read(3, "\312c\300D", 4)      
read(3, "\312d\300D", 4)      
read(3, "\312f\300D", 4)      
read(3, "=\200\300D", 4)      
read(3, "\312j\303D", 4)      
read(3, "\312f\307D", 4)      
read(3, "\336\254\310D", 4)   
read(3, "\312f\325D", 4)      
read(3, "\312a\340D", 4)      
read(3, "\312b\340D", 4)      
read(3, "\312e\340D", 4)      
read(3, "\312f\340D", 4)      
read(3, "\312g\340D", 4)      
read(3, "\312g\341D", 4)      
read(3, "\312e\342D", 4)      
read(3, "\312f\343D", 4)      
read(3, "=\213\2E", 4)        
read(3, "\335\203\217E", 4)   
read(3, "\323\212\310E", 4)   
read(3, "\335\260\3F", 4)     
read(3, "\335\260\3I", 4)     
read(3, "=\213'I", 4)         
read(3, "\335\260\3L", 4)     
read(3, "\335\260\3O", 4)     
read(3, "\336\366\201P", 4)   
read(3, "\323]\0Q", 4)        
read(3, "\336\363\201Q", 4)   
read(3, "\323\\\210Q", 4)     
read(3, "\335\260\3S", 4)     
read(3, "\335\260\3U", 4)     
read(3, "\336UUU", 4)         
read(3, "\312ekU", 4)         
read(3, "\335\7\\V", 4)       
read(3, "\312`\200V", 4)      
read(3, "\335\5\313V", 4)     
read(3, "\335\5XX", 4)        
read(3, "\336XXX", 4)         
read(3, "\312f\7Z", 4)        
read(3, "\335\5\313Z", 4)     
read(3, "\336/\35]", 4)       
read(3, "\323_\1a", 4)        
read(3, "\323_\301a", 4)      
read(3, "=\353Fb", 4)         
read(3, "\335\7\\b", 4)       
read(3, "\335\5\313b", 4)     
read(3, "\323\216\322b", 4)   
read(3, "\333\225\6c", 4)     
read(3, "\323\215\20c", 4)    
read(3, "\332U\230c", 4)      
read(3, "\332U\235c", 4)      
read(3, "\335\202 d", 4)      
read(3, "pddd", 4)            
read(3, "\332L\300d", 4)      
read(3, "\323\216\322d", 4)   
read(3, "\323\212\360d", 4)   
read(3, "\323g\re", 4)        
read(3, "=\246\226e", 4)      
read(3, "\312f\310e", 4)      
read(3, "\335\202 g", 4)      
read(3, "\332h j", 4)         
read(3, "\335\202 j", 4)      
read(3, "\332h\200j", 4)      
read(3, "\323\210\21k", 4)    
read(3, "\335\202 m", 4)      
read(3, "\336-\0n", 4)        
read(3, "|\317\240n", 4)      
read(3, "\312g`p", 4)         
read(3, "\312g\363p", 4)      
read(3, "\332hor", 4)         
read(3, "rrrr", 4)            
read(3, "\332j\177r", 4)      
read(3, "rrss", 4)            
read(3, "\312j\304s", 4)      
read(3, "\312g\0u", 4)        
read(3, "t\344ov", 4)         
read(3, "\332hoz", 4)         
read(3, "\332j\177z", 4)      
read(3, "\323\212K{", 4)      
read(3, "=\246\226{", 4)      
read(3, "\332Y\0|", 4)        
read(3, "\323]\30\201", 4)    
read(3, "=\246\31\201", 4)    
read(3, "\323]@\201", 4)      
read(3, "\323a@\201", 4)      
read(3, "\323[X\201", 4)      
read(3, "\336K\230\201", 4)   
read(3, "=\n\0\202", 4)       
read(3, "=\n\1\202", 4)       
read(3, "\322\25\4\202", 4)   
read(3, "\332\312\230\202", 4)
read(3, "\333\226 \204", 4)   
read(3, "=\200r\205", 4)      
read(3, "\312`\206\205", 4)   
read(3, "\312`\321\205", 4)   
read(3, "=\246\226\213", 4)   
read(3, "\332\6\310\213", 4)  
read(3, "\322\25\3\214", 4)   
read(3, "\312f\3\215", 4)     
read(3, "\312f\10\215", 4)    
read(3, "\312f\t\215", 4)     
read(3, "\336/>\216", 4)      
read(3, "\312f\3\220", 4)     
read(3, "\323\213\35\226", 4) 
read(3, "\312g,\226", 4)      
read(3, "\312j.\227", 4)      
read(3, "\323\\\220\241", 4)  
read(3, "\323\212\227\241", 4)
read(3, "\3364v\242", 4)      
read(3, "=\200r\246", 4)      
read(3, "\312`\200\246", 4)   
read(3, "\312b\306\247", 4)   
read(3, "\323\213\35\252", 4) 
read(3, "\250_\300\256", 4)   
read(3, "\323\211 \262", 4)   
read(3, "\323\212\365\264", 4)
read(3, "\323\211\240\271", 4)
read(3, "\322\310\323\301", 4)
read(3, "\323\212\221\302", 4)
read(3, "\332\313\240\302", 4)
read(3, "\335\202\374\310", 4)
read(3, ";3N\322", 4)         
read(3, "\312j\304\324", 4)   
read(3, "\332l\370\333", 4)   
read(3, "\336\336\336\336", 4)
read(3, "\323\242=\341", 4)   
read(3, "\322\310\323\341", 4)
read(3, "\335\f\1\343", 4)    
read(3, "\335\f!\343", 4)     
read(3, "\312j\304\344", 4)   
read(3, "w\351\377\344", 4)   
read(3, "\312j\304\346", 4)   
read(3, "\333\223\306\346", 4)
read(3, "\323\210\34\347", 4) 
read(3, "\312j\304\350", 4)   
read(3, "\323\210\34\352", 4) 
read(3, "|\241a\352", 4)      
read(3, "\323\242=\353", 4)   
read(3, "\323\210\34\355", 4) 
read(3, "\312j\304\355", 4)   
read(3, "|\241a\356", 4)      
read(3, "\336\335\5\360", 4)  
read(3, "zH!\360", 4)         
read(3, "\313\272^\361", 4)   
read(3, "\312r\0\362", 4)     
read(3, "|\241a\362", 4)      
read(3, "\213\2577\364", 4)   
read(3, "\332l\370\365", 4)   
read(3, "\333H\341\375", 4)   
read(3, "\323\242=\377", 4)   
The other config:

Code: Select all

$ cat fake.cfg
0
x.x.x.x:x.x.x.x
10000:60000
Tips #1: This data is to be decrypted in this function: _ZN8CUtility7DeCryptEPciPKci (same as the IP & Port of CNC coded in the bins)
Tips #2: CNC Cracking tips for fellow researchers, encrypted IP is in the bins, as per below. to be decrypted by same function as above.

Code: Select all

_start --> main --> _ZN9CServerIP10InitializeEv --> push offset xxx --> encrypted IP, then PORT
feed the strings to --> _ZN8CUtility7DeCryptEPciPKci
Additionally, recorded PoC of the L7 DDoS attack caused by this tool.

Code: Select all

sendto(5, "E\0\4 \265J@\0\310\21\207UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\266J@\0\312\21\204YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\267J@\0\314\21\201WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \270J@\0\316\21~UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\271J@\0\320\21{YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\272J@\0\322\21xWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \273J@\0\324\21uUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\274J@\0\326\21rYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\275J@\0\330\21oWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \276J@\0\332\21lUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\277J@\0\334\21iYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\300J@\0\336\21fWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \301J@\0\340\21cUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\302J@\0\342\21`YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\303J@\0\344\21]WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \304J@\0\346\21ZUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\305J@\0\350\21WYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\306J@\0\352\21TWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \307J@\0\354\21QUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\310J@\0\356\21NYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\311J@\0\360\21KWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \312J@\0\362\21HUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\313J@\0\364\21EYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\314J@\0\366\21BWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \315J@\0\370\21?UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\316J@\0\310\21nYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\317J@\0\312\21kWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \320J@\0\314\21hUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\321J@\0\316\21eYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\322J@\0\320\21bWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \323J@\0\322\21_UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\324J@\0\324\21\\YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\325J@\0\326\21YWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \326J@\0\330\21VUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\327J@\0\332\21SYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\330J@\0\334\21PWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \331J@\0\336\21MUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\332J@\0\340\21JYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\333J@\0\342\21GWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \334J@\0\344\21DUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\335J@\0\346\21AYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\336J@\0\350\21>WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \337J@\0\352\21;UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\340J@\0\354\0218YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\341J@\0\356\0215WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \342J@\0\360\0212UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\343J@\0\362\21/YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\344J@\0\364\21,WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \345J@\0\366\21)UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\346J@\0\370\21&YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\347J@\0\310\21UWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \350J@\0\312\21RUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\351J@\0\314\21OYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\352J@\0\316\21LWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \353J@\0\320\21IUN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\354J@\0\322\21FYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\355J@\0\324\21CWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \356J@\0\326\21@UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\357J@\0\330\21=YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\360J@\0\332\21:WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \361J@\0\334\0217UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\362J@\0\336\0214YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\363J@\0\340\0211WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \364J@\0\342\21.UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\365J@\0\344\21+YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\366J@\0\346\21(WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \367J@\0\350\21%UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\370J@\0\352\21\"YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\371J@\0\354\21\37WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \372J@\0\356\21\34UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\373J@\0\360\21\31YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\374J@\0\362\21\26WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \375J@\0\364\21\23UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\376J@\0\366\21\20YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\377J@\0\370\21\rWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \0K@\0\310\21<UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\1K@\0\312\0219YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\2K@\0\314\0216WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \3K@\0\316\0213UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\4K@\0\320\0210YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\5K@\0\322\21-WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \6K@\0\324\21*UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\7K@\0\326\21'YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\10K@\0\330\21$WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \tK@\0\332\21!UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\nK@\0\334\21\36YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\vK@\0\336\21\33WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \fK@\0\340\21\30UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\rK@\0\342\21\25YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\16K@\0\344\21\22WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \17K@\0\346\21\17UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\20K@\0\350\21\fYN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\21K@\0\352\21\tWN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \22K@\0\354\21\6UN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\23K@\0\356\21\3YN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\24K@\0\360\21\0WN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4 \25K@\0\362\21\375TN.%E<\307\301\362\0\0\0P\4\f\205Y\0\0\0\0", 1029, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\34\26K@\0\364\21\372XN.%E<\307\301\362\0\0\0P\4\10\205a\0\0\0\0", 1025, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16)
sendto(5, "E\0\4\36\27K@\0\366\21\367VN.%E<\307\301\362\0\0\0P\4\n\205]\0\0\0\0", 1027, 0, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("x.x.x.x")}, 16^C)
#MoronzGonnaWeep | #MalwareMustDie
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by unixfreaxjp » Sun Sep 14, 2014 8:26 am

Answering some PM/DM questions, the decryption function:

Map:
Image
Code:

Code: Select all

0x8061974 ; CUtility::DeCrypt(char *, int, char  const*, int)
0x8061974   public _ZN8CUtility7DeCryptEPciPKci
0x8061974
0x8061974 var_4 = dword ptr -4
0x8061974 arg_0 = dword ptr  8
0x8061974 arg_4 = dword ptr  0Ch
0x8061974 arg_8 = dword ptr  10h
0x8061974 arg_C = dword ptr  14h
0x8061974
0x8061974       push    ebp
0x8061975       mov     ebp, esp
0x8061977       sub     esp, 10h
0x806197A       mov     [ebp+var_4], 0
0x8061981       jmp     short 0x80619BA

0x8061983 0x8061983:
0x8061983       mov     eax, [ebp+var_4]
0x8061986       and     eax, 1
0x8061989       test    al, al
0x806198B       jz      short 0x80619A2
0x806198D       mov     eax, [ebp+var_4]
0x8061990       mov     edx, eax
0x8061992       add     edx, [ebp+arg_0]
0x8061995       mov     eax, [ebp+var_4]
0x8061998       add     eax, [ebp+arg_8]
0x806199B       mov     al, [eax]
0x806199D       inc     eax
0x806199E       mov     [edx], al
0x80619A0       jmp     short 0x80619B5

0x80619A2 0x80619A2:
0x80619A2       mov     eax, [ebp+var_4]
0x80619A5       mov     edx, eax
0x80619A7       add     edx, [ebp+arg_0]
0x80619AA       mov     eax, [ebp+var_4]
0x80619AD       add     eax, [ebp+arg_8]
0x80619B0       mov     al, [eax]
0x80619B2       dec     eax
0x80619B3       mov     [edx], al

0x80619B5 0x80619B5:
0x80619B5       lea     eax, [ebp+var_4]
0x80619B8       inc     dword ptr [eax]

0x80619BA 0x80619BA:
0x80619BA       mov     eax, [ebp+var_4]
0x80619BD       cmp     eax, [ebp+arg_C]
0x80619C0       jge     short locret_80619D6
0x80619C2       mov     eax, [ebp+var_4]
0x80619C5       cmp     eax, [ebp+arg_4]
0x80619C8       jge     short locret_80619D6
0x80619CA       mov     eax, [ebp+var_4]
0x80619CD       add     eax, [ebp+arg_8]
0x80619D0       mov     al, [eax]
0x80619D2       test    al, al
0x80619D4       jnz     short 0x8061983

0x80619D6 locret_0x80619D6:
0x80619D6       leave
0x80619D7       retn

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by unixfreaxjp » Sun Sep 14, 2014 8:01 pm

Someone just uploaded this sample of Elknot w/encrypted dlcfg (list of DNS IP address) https://www.virustotal.com/en/file/ea2d ... 399881335/
The sample itself is a bit old (from May 2014?)
PoC for the downloaded filename:

Code: Select all

.text:0804A98B push ebx
.text:0804A98C sub esp, 14h
.text:0804A98F lea eax, [ebp+var_C]
.text:0804A992 sub esp, 4
.text:0804A995 push 2Fh
.text:0804A997 push offset aDlcfg ; "dlcfg"
.text:0804A99C push eax
.text:0804A99D call _ZN8CUtility18GetCurrentFilePathEPKcc ; CUtility::GetCurrentFilePath(char const*,char)
.text:0804A9A2 add esp, 0Ch
.text:0804A9A5 sub esp, 0Ch
.text:0804A9A8 lea eax, [ebp+var_C]
.text:0804A9AB push eax 
Pls feel free to contribute to analyze it, as per previous posted examples.
You do not have the required permissions to view the files attached to this post.

User avatar
Fulrem
Posts: 6
Joined: Thu Feb 28, 2013 10:00 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by Fulrem » Tue Sep 16, 2014 7:56 am

I think these ARM files are actually the AES.DDoS family.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by unixfreaxjp » Wed Sep 17, 2014 3:26 am

Another sample: https://www.virustotal.com/en/file/269d ... 410770173/
Pls see VT comment.
CNC: 183.60.202.91 : 10991
Loc: ASN: 4134 | Prefix: 183.0.0.0/10 | CHINANET | CN | CHINATELECOM.COM.CN | CHINANET GUANGDONG PROVINCE NETWORK
Noted a version w/o dlcfg encrypted
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by unixfreaxjp » Wed Sep 17, 2014 3:31 am

Another sample: https://www.virustotal.com/en/file/9488 ... 410923906/
Using encrypted dlcfg fetched from: 180.76.3.151:80
CNC cracked is 61.160.247.4:38
dlcfg:

Code: Select all

00000000  4b 01 00 00 3d 1f 01 01  a8 5f 01 01 d3 62 04 01  |K...=...._...b..|
00000010  3d b1 07 01 3d 93 25 01  d3 a2 3e 01 ca 26 40 01  |=...=.%...>..&@.|
00000020  ca c4 40 01 d3 5f 48 01  d3 8a 5b 01 db eb 7f 01  |..@.._H...[.....|
00000030  d3 4e 82 01 da 02 87 01  a8 5f c0 01 3d 1f e9 01  |.N......._..=...|
00000040  d2 2a f1 01 dd e4 ff 01  3a f2 02 02 ca 65 06 02  |.*......:....e..|
00000050  da c9 11 02 da 68 4e 02  dd 0b 84 02 d3 8a b4 02  |.....hN.........|
00000060  d3 8b 01 03 ca af 03 03  d3 93 06 03 3d bb 62 03  |............=.b.|
00000070  da cb 65 03 ca 66 98 03  ca 66 9a 03 d3 a1 9f 03  |..e..f...f......|
00000080  dc a8 d0 03 3d 3c e0 03  3d 86 01 04 d3 62 02 04  |....=<..=....b..|
00000090  ca 0e 43 04 ca 63 a6 04  ca 75 60 05 de 2e 78 05  |..C..c...u`...x.|
000000a0  d3 89 a0 05 ca 60 d1 05  3d 3c e0 05 3c bf f4 05  |.....`..=<..<...|
000000b0  3d ea fe 05 dd b0 04 06  77 06 06 06 ca 61 07 06  |=.......w....a..|
000000c0  3d bb 62 06 d3 8a a4 06  d2 15 c4 06 dc a8 d0 06  |=.b.............|
000000d0  ca 72 f0 06 d3 62 48 07  ca af 03 08 ca 63 a8 08  |.r...bH......c..|
000000e0  ca 64 c7 08 ca 63 e0 08  ca 3c fc 08 dd b0 04 09  |.d...c...<......|
000000f0  3d e9 09 09 cb 50 60 09  ca 71 10 0a dd 07 22 0a  |=....P`..q....".|
00000100  ca 75 60 0a ca 70 70 0a  db 8d 88 0a db 8d 8c 0a  |.u`..pp.........|
00000110  65 2f bd 0a ca 71 10 0b  dd 03 83 0b d3 a1 9e 0b  |e/...q..........|
00000120  dd b0 04 0c 3d eb a4 0d  ca 0e 43 0e dd b0 04 0f  |....=.....C.....|
00000130  ca 60 68 0f ca 60 9a 0f  8b af fc 10 ca 61 07 11  |.`h..`.......a..|
00000140  d3 8b 02 12 dd b0 04 12  ca 60 56 12 cb 8e 64 12  |.........`V...d.|
00000150  3d eb a4 12 65 2f bd 12  d3 8a f2 12 b4 a8 ff 12  |=...e/..........|
00000160  d3 8a 6a 13 ca 6a 00 14  dd 07 01 14 8b af 0a 14  |..j..j..........|
00000170  cb ba 5e 14 8b af 96 14  dd b0 04 15 cb 8e 64 15  |..^...........d.|
00000180  ca 67 b0 16 71 6f d3 16  ca 60 68 1a ca 60 6b 1b  |.g..qo...`h..`k.|
00000190  d3 62 79 1b ca 76 01 1d  dd e8 81 1e ca 70 90 1e  |.by..v.......p..|
000001a0  ca 55 80 20 3a f0 39 21  ca c1 40 21 3d ec 5d 21  |.U. :.9!..@!=.]!|
000001b0  ca cb 80 21 ca 60 86 21  ca cb 90 21 ca cb a0 21  |...!.`.!...!...!|
000001c0  d2 26 c0 21 ca cb c0 21  ca cb d0 21 ca cb e0 21  |.&.!...!...!...!|
000001d0  ca 66 18 22 d3 8b 49 22  d3 89 f1 22 3d 82 fe 22  |.f."..I"..."=.."|
000001e0  ca 73 20 24 ca 60 67 24  db 8d 94 25 ca 60 45 26  |.s $.`g$...%.`E&|
000001f0  ca 73 20 27 db 8d 94 27  de 2d 01 28 da 1e 13 28  |.s '...'.-.(...(|
00000200  db ef 1a 2a 3a f1 d0 2e  ca 60 90 2f da 1e 13 32  |...*:....`./...2|
00000210  d3 88 70 32 76 1d f9 32  dd 82 21 34 ca 76 01 35  |..p2v..2..!4.v.5|
00000220  76 1d f9 36 70 04 00 37  ca 65 62 37 db 95 c2 37  |v..6p..7.eb7...7|
00000230  ca 2d 54 3a d3 8c c5 3a  dd 82 21 3c d3 a2 3e 3c  |.-T:...:..!<..><|
00000240  3d e9 09 3d d3 5a 48 41  d3 5a 50 41 d3 61 60 41  |=..=.ZHA.ZPA.a`A|
00000250  db 92 01 42 db 93 01 42  dd 06 04 42 3d 8b 36 42  |...B...B...B=.6B|
00000260  dd 04 42 42 3a 16 60 42  d3 88 96 42 d3 8a 9c 42  |..BB:.`B...B...B|
00000270  ca 63 c0 42 db 94 cc 42  ca 2d 54 43 ca 62 c0 43  |.c.B...B.-TC.b.C|
00000280  ca 63 e0 43 ca 62 00 44  ca 67 00 44 ca 62 05 44  |.c.C.b.D.g.D.b.D|
00000290  ca 67 18 44 d3 8b 1d 44  ca 60 40 44 dc aa 40 44  |.g.D...D.`@D..@D|
000002a0  ca 60 4b 44 d3 8d 5a 44  ca 60 60 44 ca 62 60 44  |.`KD..ZD.``D.b`D|
000002b0  ca 63 60 44 ca 64 60 44  ca 63 68 44 dd 07 80 44  |.c`D.d`D.chD...D|
000002c0  ca 60 80 44 ca 66 80 44  3d 80 80 44 ca 66 86 44  |.`.D.f.D=..D.f.D|
000002d0  dd 07 88 44 ca 63 a0 44  3d 84 a3 44 ca 63 c0 44  |...D.c.D=..D.c.D|
000002e0  ca 64 c0 44 ca 66 c0 44  3d 80 c0 44 ca 6a c3 44  |.d.D.f.D=..D.j.D|
000002f0  ca 66 c7 44 de ac c8 44  ca 66 d5 44 ca 61 e0 44  |.f.D...D.f.D.a.D|
00000300  ca 62 e0 44 ca 65 e0 44  ca 66 e0 44 ca 67 e0 44  |.b.D.e.D.f.D.g.D|
00000310  ca 67 e1 44 ca 65 e2 44  ca 66 e3 44 3d 8b 02 45  |.g.D.e.D.f.D=..E|
00000320  dd 83 8f 45 d3 8a c8 45  dd b0 03 46 dd b0 03 49  |...E...E...F...I|
00000330  3d 8b 27 49 dd b0 03 4c  dd b0 03 4f de f6 81 50  |=.'I...L...O...P|
00000340  d3 5d 00 51 de f3 81 51  d3 5c 88 51 dd b0 03 53  |.].Q...Q.\.Q...S|
00000350  dd b0 03 55 de 55 55 55  ca 65 6b 55 dd 07 5c 56  |...U.UUU.ekU..\V|
00000360  ca 60 80 56 dd 05 cb 56  dd 05 58 58 de 58 58 58  |.`.V...V..XX.XXX|
00000370  ca 66 07 5a dd 05 cb 5a  de 2f 1d 5d d3 5f 01 61  |.f.Z...Z./.]._.a|
00000380  d3 5f c1 61 3d eb 46 62  dd 07 5c 62 dd 05 cb 62  |._.a=.Fb..\b...b|
00000390  d3 8e d2 62 db 95 06 63  d3 8d 10 63 da 55 98 63  |...b...c...c.U.c|
000003a0  da 55 9d 63 dd 82 20 64  70 64 64 64 da 4c c0 64  |.U.c.. dpddd.L.d|
000003b0  d3 8e d2 64 d3 8a f0 64  d3 67 0d 65 3d a6 96 65  |...d...d.g.e=..e|
000003c0  ca 66 c8 65 dd 82 20 67  da 68 20 6a dd 82 20 6a  |.f.e.. g.h j.. j|
000003d0  da 68 80 6a d3 88 11 6b  dd 82 20 6d de 2d 00 6e  |.h.j...k.. m.-.n|
000003e0  7c cf a0 6e ca 67 60 70  ca 67 f3 70 da 68 6f 72  ||..n.g`p.g.p.hor|
000003f0  72 72 72 72 da 6a 7f 72  72 72 73 73 ca 6a c4 73  |rrrr.j.rrrss.j.s|
00000400  ca 67 00 75 74 e4 6f 76  da 68 6f 7a da 6a 7f 7a  |.g.ut.ov.hoz.j.z|
00000410  d3 8a 4b 7b 3d a6 96 7b  da 59 00 7c d3 5d 18 81  |..K{=..{.Y.|.]..|
00000420  3d a6 19 81 d3 5d 40 81  d3 61 40 81 d3 5b 58 81  |=....]@..a@..[X.|
00000430  de 4b 98 81 3d 0a 00 82  3d 0a 01 82 d2 15 04 82  |.K..=...=.......|
00000440  da ca 98 82 db 96 20 84  3d 80 72 85 ca 60 86 85  |...... .=.r..`..|
00000450  ca 60 d1 85 3d a6 96 8b  da 06 c8 8b d2 15 03 8c  |.`..=...........|
00000460  ca 66 03 8d ca 66 08 8d  ca 66 09 8d de 2f 3e 8e  |.f...f...f.../>.|
00000470  ca 66 03 90 d3 8b 1d 96  ca 67 2c 96 ca 6a 2e 97  |.f.......g,..j..|
00000480  d3 5c 90 a1 d3 8a 97 a1  de 34 76 a2 3d 80 72 a6  |.\.......4v.=.r.|
00000490  ca 60 80 a6 ca 62 c6 a7  d3 8b 1d aa a8 5f c0 ae  |.`...b......._..|
000004a0  d3 89 20 b2 d3 8a f5 b4  d3 89 a0 b9 d2 c8 d3 c1  |.. .............|
000004b0  d3 8a 91 c2 da cb a0 c2  dd 82 fc c8 3b 33 4e d2  |............;3N.|
000004c0  ca 6a c4 d4 da 6c f8 db  de de de de d3 a2 3d e1  |.j...l........=.|
000004d0  d2 c8 d3 e1 dd 0c 01 e3  dd 0c 21 e3 ca 6a c4 e4  |..........!..j..|
000004e0  77 e9 ff e4 ca 6a c4 e6  db 93 c6 e6 d3 88 1c e7  |w....j..........|
000004f0  ca 6a c4 e8 d3 88 1c ea  7c a1 61 ea d3 a2 3d eb  |.j......|.a...=.|
00000500  d3 88 1c ed ca 6a c4 ed  7c a1 61 ee de dd 05 f0  |.....j..|.a.....|
00000510  7a 48 21 f0 cb ba 5e f1  ca 72 00 f2 7c a1 61 f2  |zH!...^..r..|.a.|
00000520  8b af 37 f4 da 6c f8 f5  db 48 e1 fd d3 a2 3d ff  |..7..l...H....=.|
00000530
config = fake.cfg:

Code: Select all

00000000  30 0d 0a 37 38 2e 34 36  2e 33 37 2e 36 39 3a 37  |0..78.46.37.69:7|
00000010  38 2e 34 36 2e 33 37 2e  36 39 0d 0a 31 30 30 30  |8.46.37.69..1000|
00000020  30 3a 36 30 30 30 30 0d  0a 0d 0a                 |0:60000....|
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by unixfreaxjp » Wed Sep 17, 2014 3:43 am

Thanks for comment.
Fulrem wrote:I think these ARM files are actually the AES.DDoS family.
But I really don't think so. Since the below AES functions is NOT exists i.e.:

Code: Select all

_ZN3AESC2EPh
_ZN3AES9InvCipherEPvi
_ZN3AESD2Ev
_ZN3AESC1EPh
_ZTI3AES
_ZN3AES11InvSubBytesEPA4_h
_ZN3AES5FFmulEhh
_ZN3AES13InvMixColumnsEPA4_h
_ZN3AES8SubBytesEPA4_h
_ZN3AESD1Ev
_ZN3AES10MixColumnsEPA4_h 
^^ AES versions using these ^^
Pls read: http://www.kernelmode.info/forum/viewto ... =16&t=3483

Moreover only one ARM sample spotted. We can expect more though.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by unixfreaxjp » Wed Sep 17, 2014 4:22 am

Speaking of the devil, the new ARM DDoS'er found.
https://www.virustotal.com/en/file/e02a ... 410878187/
This one is so simple, no AES, not a BillGates, not IptabLes|x contains HTTP flood only, plus basic of Elknot. So I put in Elknot.
Must be made to aim routers, VT detection ratio is 2 (read: TWO), many downloads...fresh one..
Image
PoC of flood:

Code: Select all

0x0A440   MOV     R3, R0
0x0A444   MOV     R1, R9
0x0A448   LDR     R0, =aGetFloodToSDUU ; "get flood to %s:%d (%u:%u)\r\n"
0x0A44C   STR     R12, [LR,#0x124]
0x0A450   BL      sub_1AA7C
0x0A454   LDR     R8, =0xFFFEFED9
(...)
0x0A470   LDR     R1, =aHttp1_1   ; " HTTP/1.1\r\n"
0x0A474   MOV     R2, #0xB
0x0A478   ADD     R0, R8, R5
0x0A47C   BL      sub_27BE0
0x0A480   ADD     R0, R5, #0xB
0x0A484   LDR     R1, =aAcceptTextHtml ; "Accept: text/html, application/xhtml+xm"...
0x0A488   MOV     R2, #0x2F
0x0A48C   ADD     R0, R8, R0
0x0A490   BL      sub_27BE0
0x0A494   ADD     R0, R5, #0x3A
0x0A498   LDR     R1, =aAcceptLanguage ; "Accept-Language: zh-CN\r\n"
0x0A49C   MOV     R2, #0x18
0x0A4A0   ADD     R0, R8, R0
0x0A4A4   BL      sub_27BE0
0x0A4A8   ADD     R0, R5, #0x52
0x0A4AC   LDR     R1, =aUserAgentMozil ; "User-Agent: Mozilla/5.0 (compatible; MS"...
0x0A4B0   MOV     R2, #0x55
0x0A4B4   ADD     R0, R8, R0
0x0A4B8   BL      sub_27BE0
0x0A4BC   ADD     R0, R5, #0xA7
0x0A4C0   LDR     R1, =aAcceptEncoding ; "Accept-Encoding: gzip, deflate\r\n"
0x0A4C4   MOV     R2, #0x20
0x0A4C8   ADD     R0, R8, R0
0x0A4CC   BL      sub_27BE0
0x0A4D0   ADD     R0, R5, #0xC7
0x0A4D4   LDR     R1, =aHost      ; "Host: "
0x0A4D8   MOV     R2, #6
0x0A4DC   ADD     R0, R8, R0
0x0A4E0   BL      sub_27BE0
0x0A4E4   MOV     R0, R9
0x0A4E8   BL      sub_26D60
0x0A4EC   ADD     R5, R5, #0xCD
0x0A4F0   ADD     R4, R8, R5
0x0A4F4   MOV     R2, R0
0x0A4F8   MOV     R1, R9
0x0A4FC   MOV     R0, R4
0x0A500   BL      sub_27BE0
0x0A504   MOV     R0, R9
0x0A508   BL      sub_26D60
0x0A50C   ADD     R5, R5, R0
0x0A510   LDR     R1, =aConnectionKeep ; "\r\nConnection: Keep-Alive\r\n"
0x0A514   MOV     R2, #0x1A
0x0A518   ADD     R0, R8, R5
0x0A51C   BL      sub_27BE0
0x0A520   ADD     R0, R5, #0x1A
0x0A524   MOV     R2, #0x14
0x0A528   LDR     R1, =aPragmaNoCache ; "Pragma: no-cache\r\n\r\n"
0x0A52C   ADD     R0, R8, R0
0x0A530   BL      sub_27BE0
You do not have the required permissions to view the files attached to this post.

User avatar
Fulrem
Posts: 6
Joined: Thu Feb 28, 2013 10:00 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by Fulrem » Wed Sep 17, 2014 5:04 am

The ARM sample is missing its symbol table.

This sample :: https://www.virustotal.com/en/file/1903 ... /analysis/
It has symbols, does NOT have AES, and matches the ARM sample down to even the filename /etc/.msys
One of the obvious stand-out symbols as well is DealwithDDoS along with the typical <type>_Flood symbols.
Always seems to be a 'VERSONEX:%s' string in there as well amongst others.

Looking at this next sample you can clearly see all the AES functions present, and there does appear to be a lot of similarity:
https://www.virustotal.com/en/file/223f ... /analysis/
Code layout of some of the symbol functions such as DealwithDDoS appear to be based on the same flow just extended further with added code tacked on.


To me they look like the same family that was further developed into the AES one, but still remarkably differet to Elknot from the samples I've been playing with.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Linux/Elknot (Windows DDoS botnet, alias DnsAmp)

Post by unixfreaxjp » Wed Sep 17, 2014 12:04 pm

Thanks for answering.
Fulrem wrote:and matches the ARM sample down to even the filename /etc/.msys
When I saw that sample https://www.virustotal.com/en/file/1903 ... /analysis/ that I analyzed here: http://pastebin.com/dhvAEH4D , the AES ver didn't exist that time., I was not even sure how to call that ELF, so I just called it Chinese ELF DDoSer (not Elknot) And yes, I remember it has the msys too.

I understand what you mean, you talked about the general coding they did. I thought about AES function specifically. < why I didnt get it
So, comparing the ARM ver once more, Yes, I have to admit that I agree with you.
I will ask to move the thread for that ARM post into AES.DDoS, at least we have the clear red line of its route now.

China DDoSer are growing very fast, we don't know what boosted them.. Up to today we cleaned up 29 panels.. hard time.
I wonder whether they are sharing codes in their BBS or something..
Flooded w/many samples, soon I'll feel of losing track if not following them well. Let's do the best & pls kindly give a hand in ELF matters.

Post Reply