Backdoor-Factory

5 stars based on 43 reviews

The attacker's information We did not release the source information of the attacker before since we wanted to be sure about the source IP.

Now we are sure and having some evidence about this, hence a disclosure: The attacker was coming from China network IP: And then we know that the malware is trying to connect back analysis the-binary back door and dos tool that China IP: Later on, we suggest this attack is highly suspected originated from China, by Chinese actor sfor whatever malicious purpose they after, and I think you should know about this case too.

The URL used to download the malware is as per masked below: For me it's likely not a coincidence like a hack cases to see a root directory of a web service under unusual port number 81 and serving a malicious set of tools.

Thank's to the good setting of the "trap", so we got all installation attempt recorded as I remade in following video and additionally, samples! The "attacker tried to download xx32 analysis the-binary back door and dos tool and failed at the beginning of the session and continuing download xx64, a 64 architecture binary, which he is not successfully running it smileand he tried to download the xx32 binary afterwards, which also fail to start no comment about this.

So we have the two new binaries downloaded with the generosity of the attacker and it was uploaded in the Virus Total as per below links: E5f DrWeb Linux. H Ikarus DoS. Elknot Kaspersky Backdoor. E61 Microsoft DoS: E For the further details, I share my analysis as per written in sections to come.

What this binary "doesn't have" is actually very important for further analysis, like the below data: No dynamic section in this file. No section groups in this file. No relocations in this file. No unwind sections in this file. No version information found in this file.

Analysis the-binary back door and dos tool, I noticed at the offset 0xd4 with length 0x it contains the below data. Seeking further, I found the compilation environment used: But to be sure, it's nice to trail it down in reversing mode, by any tools. Right about doing it, I got the advise that it would be nice also to make reversing video for others to learn, so I choosed IDA for this purpose because is "animated" and comprehensive: In the file listed above there is the main.

You can see the video below, but noted: Please feel free do it yourself for getting your preferable result and focus: By the way, the hard coded IP address is the same IP where this malware was downloaded, the Then we see this malware is demonized, listening to the socket, looping for continuing to connect operation is detected. And also reading and writing the an INI file which they malcoder called this as "fake config" for some reason. We can see some aggressive calls to perform the "attack" by allocating a form of data from the buffer in there.

Also can be seen the function to encode the data which suggesting the CNC communication is in encrypted mode, as per shown in video, the usage the xor key used can be "utilised" to decrypt ones, had no chance to try it yet though. Last one, the usage of some functions in libnss is suggesting the pairing in encryption, and so on. Additionaly you'll see many interesting detail functions was used too.

These functions was made so detail to run the binary as standalone purpose. It is indeed interesting! So I was attempted further debug and make another video for analysis the-binary back door and dos tool Never did this before. Behavior and Network Analysis As you see in the above sections, we know how the binary is formed and summary of the malicious operations observed in reversing, so now how does it actual current work?

Shortly, I dare myself to make video of behavior analysis I tested too: Maybe you can not see it well in the flash where debug and running this, so let me explain also as following: The host information was grabbed by the system calls "uname " together with the networking information hosts, resolve. In debug codes is as per below: D Moral of the story Linux reversing is actually fun, open source provides many good tools to disassembly and debugging any executables or libraries, do not hesitate to do it by analysis the-binary back door and dos tool self!

See the advice I wrote some tuning tips for sshd in the video above. The last point is, block You won't need to access these IPs anyway: And that IP address is hard coded in the binary! Below are some tweets following their changes: Hack in progress recorded https: A bit radareorg trick for ELF malware in https: Semper legerent Salve Regina ante venatione malware.

Trading weekly stock options for dummies

  • Forex estrategia comerciante multiplex

    Tradesmarter binary options 60 second demo accounts

  • O-systems binary options software provider reviews osystemstechcom

    Optiontown flight pass

Trading bot system dubai

  • Forex and stock trader dubai jobs

    What is ecn forex account

  • Calendar spread trading commodities

    How to plot support and resistance levels in trading binary options or forex

  • What are the best days to trading binary options

    Market makers forex software

Forexpros gas natural

46 comments Come usare opzioni binarie

Which us brokers are available to trade with binary options robot

The caputured binary is a backdoor program with the capability of launching denial of service attacks. It is designed to run on Linux systems. The attacker needs root access to install the backdoor on a comprimised machine. Once the binary is installed, the attacker uses a special backdoor client program to establish a connection to the system and execute commands. An interesting feature of the backdoor program is its use as a distributed denial of service DDoS tool.

When the backdoor receives a command from the attacker containing the victim's ip address or hostname , it starts a DoS attack against it. The DoS packet engine is very flexible and allows for many different kinds of attacks: With enought machines under the attacker's control, she can successfully impact major Internet sites, as evidenced by the events in Februrary When the binary is started, it detaches itself from the controlling tty and becomes a background process.

It overwrites its argv[0] with the string "[mingetty]", which is the default name of the login process on RedHat systems.

Then it opens a raw socket and waits for command packets from the backdoor client. The communication channel between the backdoor and the client is rather ingenious. It is perhaps the most interesting part of this tool. The backdoor uses a unique approach to conceal the identity of the attacker who controls it. The client communicates with the backdoor via IP packets with the protocol field set to 0x0B 0x11 , which is an unassigned protocol number. These IP packets are very similar to UDP datagrams, in that they don't offer reliability and retransmission but can be easily spoofed.

All the packets sent from the client to the backdoor are spoofed, making it almost impossible to trace them back to their real source.

The only way to track down the attacker is to trace the replies from the backdoor to the client. How does the backdoor know where to send the replies to? When the attacker wishes to communicate with the backdoor she sends an init command containing 10 IP addresses, encoded with a proprietary XOR-strength encryption algorithm.

The source of the packet with the init command can be spoofed because the backdoor only uses the IP addresses inside the packet payload. Upon receiving the init command, the backdoor stores the client IP addresses. All replies are sent to all 10 client IP addresses. Only one of them needs to be the real IP address of the attacker. Looking at traffic generated by the backdoor it's impossible to the tell which address is the real one. If a system administrator or the authorities decide to go through the logs and track down the attacker, they will get 10 possible addresses, 9 of which are completely unrelated to the incident.

Many of the backdoor DDoS commands don't even send back replies and can be triggered with only one spoofed packet. There are 11 different commands that the backdoor can execute.

Each of them has a number of parameters. Here is a list of all commands and their descriptions:. The init command initializes the backdoor address list. If type is 0, only one IP address has to be specified in the ip parameter. All replies from the backdoor are sent to this IP address.

If type is 1, the replies will be sent to this address and 9 other random addresses. If type is 2, the attacker specifies 10 IP addresses and the replies are sent to all of them. The status command causes the backdoor to send a reply packet with the type of the currently running DoS or shell process.

Only one such process can be started at a time and it should be kill with the kill command when it is no longer needed. If no process is running, status return 0 idle. The kill command kills the currently running shell or DoS process. The shell command in the cmd is executed by the backdoor. Its stdout and stderr are discarded. No reply is sent. Its stdin and stderr are captured and the output is sent to the client as reply packets.

The attacker can use telnet or netcat to connect to this port. The first line sent to must match the backdoor password, otherwise the connection is terminated. The password in the binary captured by the honeynet project is "SeNiF". To kill the shell process, use the kill command. Launches a UDP flood attack.

The backdoor forks a new process which sends the packets. To stop the attack, use the kill command to kill this process the same applies to all DoS attacks available in the backdoor. The victim can be specified with the dst or hostname parameters. If a hostname is used it is resolved again after every packets have been sent, in case the dns record of the victim has changed. The source of the packets can be spoofed with the src parameter.

A variation of this attack is the ICMP smurf attack. If the attacker sends spoofed ICMP echo requests to the broadcast address of a vulnerable network, all hosts on the network will send their responses to the victim. The entire network will act as a traffic amplifier for the attack. This kind of attack was first reported by Edward Henigin in It is possible to use the backdoor a tool for a ICMP smurf attack, but we'll have to use the IP address of the victim, because the author of the backdoor did not include support for resolving the source IP address of the packet.

Launches a SYN flood attack. A good description of the SYN flood atack is the Phrack 48 article by route. The victim is specified with the dst or the hostname parameters.

The source ip address can be specified with src or left empty, in which case a random address is generated for each packet. It should be an open TCP port on the victim's system. If the parameter is not specified, the process sleeps after each packet.

Launches a DNS queries flood atack. Sends DNS queries for top-level domains. Useful for bringing DNS servers down. The victim is specified with the dst or hostname parameters. The source ip address of the queries can be given in src or a random address will be generated for each packet. Launches a DNS smurf attack using publicly accessible nameservers as traffic amplifiers.

The backdoor binary contains a hardcoded list of more than DNS servers. The backdoor forks a process which continuously sends DNS requests for top-level domains.

The address is resolved again after packets are sent, in case the dns record of the victim has been changed. All DNS servers will send their replies to the victim's ip address, causing a denial of service. If it is not specified, the process sleeps after each packet. All the packets between the client and the backdoor are sent as IP packets with protocol number 0x0B. They have the following format: Packets that contain commands from the client to the backdoor have a packet type of 2.

After decoding the packet data, the backdoor looks at the byte at offset 23 in the IP packet. It contains a number, identifying the backdoor command. Each command has a variable number of parameters which are stored at offset Packets sent from the backdoor to the client have a packet type of 3. The reply type is stored at offset The replies to the status command have a reply type of 1.

If the byte at offset 25 is 0 then the backdoor does not have a shell or DoS process running. Otherwise the byte at offset 26 contains the command id of the command that forked the child process. It is sent as a null terminated string, starting at offset A decoder for the backdoor communication protocol is available: It uses libpcap and can sniff traffic in realtime or read tcpdump files.

Running it on snort. There are two approaches an attacker can take to hide her traffic. She can try to mimic existing traffic as closely as possible, or she can try to make her packets stand out so much that nobody notices. Both approaches have advantages and disadvantages. The author of the this backdoor used an unused IP protocol number, relying on the fact that most firewalls and IDSes have an "accept by default" policy. Snort rule to detect traffic with an unknown IP protocol: Of course this doesn't help much, since there are lots of other ways to sneak traffic past a firewall or an IDS.

The author of the binary has tried to make it harder to analyze it by compiling it statically. This makes it impossible to tell which library functions are used with simple tools like objdump -t, but it doesn't stop more advanced tools like IDA and Fenris.

For more information on using IDA see the analysis section.