Linux.BackDoor.MrBlack Attack And Defense Analysis

1. 恶意程序概述
2. 模块分解
3. 通信协议
4. 木马清理

1. DNS_Flood
2. SYN_Flood
3. UDP_Flood
4. UDPS_Flood
5. TCP_Flood(访问指定ip)
6. CC_Flood(访问指定url)
7. CC2_Flood
8. CC3_Flood
..

1. EM_386
2. EM_x86_64
3. EM_MIPS
4. EM_ARM
5. PE x86
//Written mostly in C/C++
//Debug info often not stripped

1. Killing competing resource consuming processes
2. 注册为服务、自启动
1) /etc/init.d/: startup scripts copied here
2) /etc/cron.<S>: <S> from { hourly, daily, weekly, monthly }
3) A service can be added to /etc/crontab
4) /etc/rc<N>.d/: Symbolic links to startup scripts，<N> is a runlevel indicator (Halt 0; Single-user 1; Multi-user2-5; Reboot 6)
5) Alternatively, path can be added to /etc/rc.local

1. In plain form or packed with UPX
2. UPX sometimes modified to avoid unpacking by the original UPX tool
1) Modified magic value
2) Checksums do not match

1. build ELF malware using a customized builder
1) 上线域名、上线端口可配置化
2) 通信密钥可配置化

2. start Http File Server(HFS), which will be hosting the previously built malicious binaries
1) 架设HSF Server用于提供恶意程序的下载

https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/KalnaiHorejsi-VB2015.pdf http://www.digitaltrends.com/computing/mrblack-malware-botnet/ http://blog.malwaremustdie.org/2015/09/mmd-0042-2015-hunting-mr-black-ids-via.html http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483 https://www.threatcrowd.org/malware.php?md5=08efb1ffc680abc242f40a0ad72906ba https://www.virustotal.com/en/file/7b5c0ef6d9d38466dedea7ae07b363d5849580f6d0615cf47804f942d1d2034a/analysis/

def dataReceived(self, data):
print "Server said:", data.encode('hex')
dataLen = len(data)
if dataLen == 1:                                 #HEART
print "HEART"
elif dataLen > 500 and data[0] == '\x06':       #DDOS
ipList = self.extractIPS(data, data[0x108])
if data[0x108] == '\x01':
attackType = 'TCP SYN'
elif data[0x108] == '\x02':
attackType = 'UDP'
elif data[0x108] == '\x03':
attackType = 'ICMP'
elif data[0x108] == '\x04':
attackType = 'DNS'
elif data[0x108] == '\x05':
attackType = 'CC'
#save attack info
for ip in ipList:
target_ip = socket.inet_ntoa(struct.pack('I',socket.htonl(ip[0]))[::-1])
target_url = ""
target_port = str(ip[1])
target_attack_type = attackType
print {target_ip, target_url, target_port, target_attack_type}
eventReporter.saveAttackEvent(server=self.server, cmd='DDOS', cmd_desc=target_attack_type, victim_ip=target_ip, victim_port=target_port,victim_url=target_url)