Linux.BackDoor.MrBlack Attack And Defense Analysis
2016-02-22 10:46
871 查看
catalogue
1. 恶意程序概述
0x1: 支持攻击方式
0x2: 客户端支持架构
0x3: 持久存活能力
0x4: 反调试能力
0x5: Trojan客户端程序分发
[b][b][b][b][b][b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
2. 模块分解
3. 通信协议
4. 木马清理
[b][b][b][b][b][b][b][b][b][b][b][b][b]Copyright (c) 2016 LittleHann All rights reserved[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
1. 恶意程序概述 2. 模块分解 3. 通信协议 4. 木马清理
1. 恶意程序概述
0x1: 支持攻击方式
1. DNS_Flood 2. SYN_Flood 3. UDP_Flood 4. UDPS_Flood 5. TCP_Flood(访问指定ip) 6. CC_Flood(访问指定url) 7. CC2_Flood 8. CC3_Flood ..
0x2: 客户端支持架构
1. EM_386 2. EM_x86_64 3. EM_MIPS 4. EM_ARM 5. PE x86 //Written mostly in C/C++ //Debug info often not stripped
0x3: 持久存活能力
1. Killing competing resource consuming processes 2. 注册为服务、自启动 1) /etc/init.d/: startup scripts copied here 2) /etc/cron.<S>: <S> from { hourly, daily, weekly, monthly } 3) A service can be added to /etc/crontab 4) /etc/rc<N>.d/: Symbolic links to startup scripts,<N> is a runlevel indicator (Halt 0; Single-user 1; Multi-user2-5; Reboot 6) 5) Alternatively, path can be added to /etc/rc.local
0x4: 反调试能力
1. In plain form or packed with UPX 2. UPX sometimes modified to avoid unpacking by the original UPX tool 1) Modified magic value 2) Checksums do not match
0x5: Trojan客户端程序分发
1. build ELF malware using a customized builder 1) 上线域名、上线端口可配置化 2) 通信密钥可配置化 2. start Http File Server(HFS), which will be hosting the previously built malicious binaries 1) 架设HSF Server用于提供恶意程序的下载
[b][b][b][b][b][b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/KalnaiHorejsi-VB2015.pdf http://www.digitaltrends.com/computing/mrblack-malware-botnet/ http://blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.html http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 https://www.threatcrowd.org/malware.php?md5=08efb1ffc680abc242f40a0ad72906ba https://www.virustotal.com/en/file/7b5c0ef6d9d38466dedea7ae07b363d5849580f6d0615cf47804f942d1d2034a/analysis/
2. 模块分解
3. 通信协议
def dataReceived(self, data): print "Server said:", data.encode('hex') dataLen = len(data) if dataLen == 1: #HEART print "HEART" elif dataLen > 500 and data[0] == '\x06': #DDOS ipList = self.extractIPS(data, data[0x108]) if data[0x108] == '\x01': attackType = 'TCP SYN' elif data[0x108] == '\x02': attackType = 'UDP' elif data[0x108] == '\x03': attackType = 'ICMP' elif data[0x108] == '\x04': attackType = 'DNS' elif data[0x108] == '\x05': attackType = 'CC' #save attack info for ip in ipList: target_ip = socket.inet_ntoa(struct.pack('I',socket.htonl(ip[0]))[::-1]) target_url = "" target_port = str(ip[1]) target_attack_type = attackType print {target_ip, target_url, target_port, target_attack_type} eventReporter.saveAttackEvent(server=self.server, cmd='DDOS', cmd_desc=target_attack_type, victim_ip=target_ip, victim_port=target_port,victim_url=target_url)
4. 木马清理
[b][b][b][b][b][b][b][b][b][b][b][b][b]Copyright (c) 2016 LittleHann All rights reserved[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
相关文章推荐
- linux命令之cut命令的用法
- Linux 网卡驱动学习(七)(MAC 与 IP)
- mongo linux限制处理
- Linux 网卡驱动学习(五)(收发包具体过程)
- Linux 网卡驱动学习(四)(缓存描述符 Buffer Description)
- 微软将在 Azure 上销售 Red Hat 企业版 Linux(RHEL)
- 为升级后的Linux内核打包(适用于ubuntu)
- Centos中安装和配置vsftp简明教程
- RHEL使用Centos Yum源
- CentOS6.5安装KVM(1)
- 誓师书,老男孩学习计划。
- 【Linux 优化篇】之 linux服务器的性能能分析与优化
- linux中日期的循环方式
- 《Linux内核完全剖析》阅读笔记
- CentOS6.6普通用户使用sudo命令借用root用户权限
- imx53qsb linux-2.6.35.3 gstreamer 播放ts流媒体
- Linux/Android Shrinker 是什么东西?
- Ubuntu14.04安装搜狗输入法
- linux字符驱动之查询按键
- 修改linux服务器时区