5/20/2018 TA DDos Binary Bot IptabLes v6 US

1/15

1

Risk Factor - High

!"#$%&'()!"#$%&'* ,,-. /-#(

0&1 2345563.! !,7 "#$$

89549!5:

%&'()* +, ,#"-. /0121(34 5'6789(: ;8:&'()*()88'()* 1)? @8481':A B812 C5DE48'

5/20/2018 TA DDos Binary Bot IptabLes v6 US

2/15

2

=?@AB' C7 4'D E$# "A%F?GFH B'"-B#'D #I' G-J"B-J?(' #- ?#( GA(#-J'B(

=?@AB' K7 < L?G#?J -M !"#$%&'( ?NM'G#?-N "-(#'D B'"-B#( -M #I' I$GO( -N $ "A%F?G M-BAJ

5/20/2018 TA DDos Binary Bot IptabLes v6 US

3/15

3

=?@AB' P7 < #B$N(F$#'D B'"-B# -M !1#$%&'* ) !"#$%&'(

BA8 ()H8:

5/20/2018 TA DDos Binary Bot IptabLes v6 US

4/15

4

/J1:A8 @6778' NPKD S)b8:

5/20/2018 TA DDos Binary Bot IptabLes v6 US

5/15

5

=?@AB' R7 ;-D' (N?""'# -M $ D-SNF-$D'B D-SNF-$D?N@ $ B'J-#' !"#$%&%M?F'

BA8 /04!$*$H(78. 4A6Q) () V(*&'8 [. :6)

5/20/2018 TA DDos Binary Bot IptabLes v6 US

6/15

6

1

5/20/2018 TA DDos Binary Bot IptabLes v6 US

7/15

7

9,9,'fi',0Ah9,9,'fi',0Ah9,9,'fi',0Ah'exit',0Ah,0

=?@AB' Y7 ;F'$NA" A" (GB?"# '*'GA#'D %H #I' %?N$BH #- "B'L'N# JAF#?"F' ?NM'G#?-N

V(*&'8 d 4A6Q4 1 4:8)1'(6 QA8'8 2&7=! _876Q (4 1 )8

5/20/2018 TA DDos Binary Bot IptabLes v6 US

8/15

8

1

5/20/2018 TA DDos Binary Bot IptabLes v6 US

9/15

9

U!"#$%&'( G-JJ$ND "B-#-G-F

S)(

5/20/2018 TA DDos Binary Bot IptabLes v6 US

10/15

10

if ( a1 ){new_data = 0;new_len = 2048;if ( HbLDeCompress(a1 + 6, a2, &new_data, &new_len) || new_len != 112 ){

v2 = new_data;}else{

v2 = new_data;if ( *(_BYTE *)(new_data + 8) & 1 ){

v3 = *(_DWORD *)(new_data + 0x50);v4 = *(_DWORD *)(new_data + 0x54);v5 = *(_DWORD *)(new_data + 0x58);v6 = *(_DWORD *)(new_data + 0x5C);v7 =AddTask(new_data);

MySend(&v3, 20);v2 = new_data;

}}free(v2);

}}

=?@AB' CR7 < "('AD- G-D' D'J-N(#B$#?-N -M #I' D'G-J"B'((?-N $ND "$B(?N@ -M #I' ,,-. G-JJ$ND(

;628 6H

5/20/2018 TA DDos Binary Bot IptabLes v6 US

11/15

11

=?@AB' CV7 ,6. $ND .Q6 MF--D #IB'$D MANG#?-N( G$FF'D %H #I'

SYN Flood10:41:03.933780 IP x.x.x.x.10535 > x.x.x.x.80: Flags [S], seq 536:1560, win 6000,

length 1024

DNS Flood15:37:30.794536 IP x.x.x.x.2679 > x.x.x.x.53: 17664+ A? xx.xx.xx. (33)

=?@AB' CZ7

5/20/2018 TA DDos Binary Bot IptabLes v6 US

12/15

12

.$N a-(' &-ND-N E-N@ `-N@:$(I?N@#-N

,;=B$NOMAB#

5810 G(

5/20/2018 TA DDos Binary Bot IptabLes v6 US

13/15

13

5/20/2018 TA DDos Binary Bot IptabLes v6 US

14/15

14

$code4 = "Service.c"

$code5 = "srvnet.c"

$code6 = "ckbuf"

$code7 = "udptest.c"

condition:

($elf at 0 and all of ($st*) and 5 of ($code*) )

}

=?@AB' K_7 Q

5/20/2018 TA DDos Binary Bot IptabLes v6 US

15/15

15

;8604!/b084.7 1&>('B#

!; .5;b4!0Q 563!6554!63