A light-weight SYN DoS tool, made in China was found, it called itself "Bangsyn".
Without command line arguement it will display the "help", this is why I call it Linux/Bangsyn
(thx to @benkow for the panel hint) As you can see the size is small.
It is fed by args for domain or IP which is translated by itself and call the DoS SYN function upon conditions are okay:
The virus total detection is, well, is a new malware anyway, is..zero
https://www.virustotal.com/en/file/70be ... 412840932/
Easy detection and ID is using below strings:
Without command line arguement it will display the "help", this is why I call it Linux/Bangsyn
Code: Select all
The source code also implied the same name:
mov rax, [rbp+var_70]
mov rdx, [rax]
mov eax, offset format ;<=== "syntax: ./bangsyn ip port time \n"
mov rsi, rdx
mov rdi, rax ; format
mov eax, 0
call _printf
mov edi, 0 ; status
call _exit
Code: Select all
This GLIBC_2.2.5 built (On Redhat GCC compiler) x64 binary was found in a
custom panel together with the Linux/BillGates samples:0x0027B1 bangsyn.c
(thx to @benkow for the panel hint) As you can see the size is small.
It is fed by args for domain or IP which is translated by itself and call the DoS SYN function upon conditions are okay:
Code: Select all
The function to SYN flood is "dosynpacket()" is self-explanatory.//// Prep the host to nuke..
0x0400FBD push rbp
0x0400FBE mov rbp, rsp
0x0400FC1 sub rsp, 20h
0x0400FC5 mov [rbp+name], rdi // host
0x0400FC9 mov rax, [rbp+name]
0x0400FCD mov rdi, rax // cp
0x0400FD0 call _inet_addr // struct in_addr inet_makeaddr(int net, int host);
0x0400FD5 mov cs:i_4841, eax
0x0400FDB mov eax, cs:i_4841
0x0400FE1 cmp eax, 0FFFFF
(...)
0x0400FE6 mov rax, [rbp+name]
0x0400FEA mov rdi, rax // name
0x0400FED call _gethostbynam // the domain lookup using OS layer
//// Confirming the target, time & packet sent
0x0400B57 mov edi, offset s // ref: "\nsantong syn: " (in chinese)
0x0400B5C call _puts
0x0400B61 mov rax, [rbp+var_70]
0x0400B65 add rax, 8
0x0400B69 mov rdx, [rax]
0x0400B6C mov eax, offset aIpS //<==="IP: %s\n"
0x0400B71 mov rsi, rdx
0x0400B74 mov rdi, rax // format buffer
0x0400B77 mov eax, 0
0x0400B7C call _printf
0x0400B81 movzx edx, [rbp+var_28]
0x0400B85 mov eax, offset aPortU // <=== "Port: %u\n"
0x0400B8A mov esi, edx
0x0400B8C mov rdi, rax // format buffer
0x0400B8F mov eax, 0
0x0400B94 call _printf
0x0400B99 mov eax, offset aSecondsD // <=="Seconds: %d\n\n"
0x0400B9E mov edx, [rbp+var_24]
0x0400BA1 mov esi, edx
0x0400BA3 mov rdi, rax // format buffer
0x0400BA6 mov eax, 0
0x0400BAB call _printf
(...)
0x0400CBC call dosynpacket // <===The SYN DOS is called here..
(...)
0x0400D0F mov eax, offset aPacketsSentD // "\nPackets Sent: %d \n"
The virus total detection is, well, is a new malware anyway, is..zero
https://www.virustotal.com/en/file/70be ... 412840932/
Easy detection and ID is using below strings:
Code: Select all
0x001178 syntax: ./bangsyn ip port time
0x00119A santong syn:
0x0011A8 IP: %s
0x0011B0 Port: %u
0x0011BA Seconds: %d
0x0011C8 %d.%d.%d.%d
0x0011D5 Packets Sent: %d
0x0011E8 socket
0x0011EF cant find %s!
0x0027B1 bangsyn.c
Attachments
7z/infected
(3.58 KiB) Downloaded 73 times
(3.58 KiB) Downloaded 73 times