Linux/dtool

#26845 by unixfreaxjp
Tue Sep 29, 2015 8:17 pm

Just another IRC bot, used by skids. Found in some infected routers. in MIPS

Source:

CNC: 192.121.166.179:6969 (a lame IRCd, in AS20860 Lomart, United Kingdom), seems the actors are the GayFagotties malware skiddies *ewwl*
VT detection is zero now, but not anymore after this

https://www.virustotal.com/en/file/b320 ... /analysis/
sample found by @TechHelpList (thx!)

I guess no one has the sigs yet (VT=0), therefore I post here to help. Below the extracted strings.
For specific one that can be used as sig see above VT comment.

Code: Select all

.rodata:0x0408C90 C HTTPFLOOD
.rodata:0x0408C9C C TCPFLOOD 
.rodata:0x0408CA8 C UDPFLOOD 
.rodata:0x0408CB4 C AUTH 
.rodata:0x0408CBC C RAW
.rodata:0x0408CC0 C EXEC 
.rodata:0x0408CC8 C CHSERVER 
.rodata:0x0408CD4 C STOP 
.rodata:0x0408CDC C RESTART
.rodata:0x0408CE4 C QUIT 
.rodata:0x0408CEC C LOGOUT 
.rodata:0x0408CF4 C Invalid number of arguments: %d\n
.rodata:0x0408D18 C 192.121.166.179
.rodata:0x0408D28 C #boat
.rodata:0x0408D34 C Hostname: %s\n 
.rodata:0x0408D44 C dtool
.rodata:0x0408D4C C 127.0.0.1
.rodata:0x0408D58 C socket() 
.rodata:0x0408D64 C Connecting to %s:%u.\n 
.rodata:0x0408D7C C connect()
.rodata:0x0408D88 C PASS %s
.rodata:0x0408D90 C NICK %s\nUSER %s 8 * :%s 
.rodata:0x0408DA8 C read() 
.rodata:0x0408DB8 C Restart failed: %s\n 
.rodata:0x0408DCC C JOIN %s %s 
.rodata:0x0408DD8 C NICK %s
.rodata:0x0408DE0 C PRIVMSG
.rodata:0x0408DE8 C NOTICE 
.rodata:0x0408DF0 C PING 
.rodata:0x0408DF8 C PONG :%s 
.rodata:0x0408E04 C PART 
.rodata:0x0408E0C C KICK 
.rodata:0x0408E14 C %s%s 
.rodata:0x0408E20 C PRIVMSG %s :[%s] %s
.rodata:0x0408E34 C Usage: HTTPFLOOD 
.rodata:0x0408E46 C host 
.rodata:0x0408E4D C port 
.rodata:0x0408E54 C file 
.rodata:0x0408E5B C size (in MB) 
.rodata:0x0408E6A C connections
.rodata:0x0408E78 C timeout (seconds)
.rodata:0x0408E8C C delay (milliseconds) 
.rodata:0x0408EA4 C ERROR; return code from pthread_create() is %d\n 
.rodata:0x0408ED4 C PRIVMSG %s :[%s] Erroneus return code from pthread_create() => %d
.rodata:0x0408F18 C PRIVMSG %s :[%s] {HTTPFLOOD} Started consuming data from host %s on port %d getting file %s (%s) 
.rodata:0x0408F7C C Usage: TCPFLOOD
.rodata:0x0408F8D C host 
.rodata:0x0408F94 C port 
.rodata:0x0408F9B C packetsize 
.rodata:0x0408FA8 C size (in MB) 
.rodata:0x0408FB7 C connections
.rodata:0x0408FC5 C timeout (seconds)
.rodata:0x0408FD9 C delay (milliseconds) 
.rodata:0x0408FF0 C PRIVMSG %s :[%s] {TCPFLOOD} Started sending tcp data to host %s on port %d (%s)
.rodata:0x0409040 C Usage: UDPFLOOD
.rodata:0x0409051 C host 
.rodata:0x0409058 C port 
.rodata:0x040905F C packetsize 
.rodata:0x040906C C size (in MB) 
.rodata:0x040907B C connections
.rodata:0x0409089 C delay (miliseconds)
.rodata:0x04090A0 C PRIVMSG %s :[%s] {UDPFLOOD} Started sending udp data to host %s on port %d (%s)
.rodata:0x04090F0 C Usage: RAW 
.rodata:0x04090FC C command
.rodata:0x0409108 C PRIVMSG %s :[%s] {RAW} Executing command: %s (%s)
.rodata:0x0409140 C PRIVMSG %s :[%s] {QUIT} %s (%s)
.rodata:0x0409160 C QUIT :%s 
.rodata:0x040916C C attack stoped
.rodata:0x040917C C no running attack
.rodata:0x0409190 C PRIVMSG %s :[%s] {STOP} Stop command -> %s (%s)
.rodata:0x04091C0 C PRIVMSG %s :[%s] {RESTART} (%s)
.rodata:0x04091E0 C Usage: EXEC
.rodata:0x04091ED C command
.rodata:0x04091F8 C PRIVMSG %s :[%s] {EXEC} Executing command: %s (%s) 
.rodata:0x040922C C %s 2>&1
.rodata:0x0409238 C PRIVMSG %s :[%s] Unable to execute command 
.rodata:0x0409264 C PRIVMSG %s :%s 
.rodata:0x0409274 C PRIVMSG %s :[%s] Error occured while closing the pipe
.rodata:0x04092AC C Usage: AUTH
.rodata:0x04092B9 C password 
.rodata:0x04092C8 C on 
.rodata:0x04092CC C PRIVMSG %s :[%s] {AUTH} User %s!%s@%s logged in
.rodata:0x04092FC C Usage: CHSERVER
.rodata:0x040930D C host 
.rodata:0x0409314 C port 
.rodata:0x040931B C channel
.rodata:0x0409325 C [channel key]
.rodata:0x0409335 C [server pass]
.rodata:0x0409344 C PRIVMSG %s :[%s] {CHSERVER} Changing server: %s:%s (%s)
.rodata:0x040937C C PRIVMSG %s :[%s] {AUTH} User %s!%s@%s logged out 
.rodata:0x04093B0 C GET %s HTTP/1.0\nHost: %s\n\n
.rodata:0x04093CC C PRIVMSG %s :[%s] Process finished => Total bytes read: %lld (%.2f MB), Total bytes sent: %lld (%.2f MB)
.rodata:0x0409434 C PRIVMSG %s :[%s] Total connections completed: %lu (%.2f%%), Total connections failed: %lu (%.2f%%) 
.rodata:0x04094B0 C write()
.rodata:0x04094B8 C Error connecting: %s\n 
.rodata:0x04094D0 C fcntl()
.rodata:0x04094D8 C Error in getsockopt() %d - %s\n
.rodata:0x04094F8 C Socket %d timed out after %d seconds\n 
.rodata:0x0409520 C Connection timeout for socket: %d %s\n 
.rodata:0x0409548 C Sent 
.rodata:0x0409550 C Read 
.rodata:0x0409558 C select() 
.rodata:0x0409564 C hostname -f
.rodata:0x0409570 C Unable to get hostname\n 
.rodata:0x0409588 C abcdefghijklmnopjrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 
.rodata:0x04095C8 C gethostbyname()
.rodata:0x04095D8 C PRIVMSG %s :[%s] %s: %ld MB, Average speed: %ld KB/s\n 
.rodata:0x0409610 C gettimeofday()

Nothing us is unusual. Protocol is plain and simple:

Code: Select all

HTTPFLOOD
TCPFLOOD
UDPFLOOD
AUTH
RAW
EXEC
CHSERVER
STOP
RESTART
QUIT
LOGOUT

It has the manual :mrgreen:

Code: Select all

(35): .rodata:0x0408E34 Usage: HTTPFLOOD
(46): .rodata:0x0408F7C Usage: TCPFLOOD
(55): .rodata:0x0409040 Usage: UDPFLOOD
(63): .rodata:0x04090F0 Usage: RAW
(72): .rodata:0x04091E0 Usage: EXEC
(79): .rodata:0x04092AC Usage: AUTH
(83): .rodata:0x04092FC Usage: CHSERVER

Really.. nothing special.. just follow the code, all in there to enjoy.
ps: this is shortcut to main to reverse..to save time in mipsel ep