Analysis the-binary back door and dos tools
So we have the two new binaries downloaded with the generosity of the attacker and it was uploaded in the Virus Total as per below links: E5f DrWeb Linux. H Ikarus DoS. Elknot Kaspersky Backdoor. E61 Microsoft DoS: E For the further details, I share my analysis as per written in sections to come. What this binary "doesn't have" is actually very important for further analysis, like the below data: No dynamic section in this file.
No section groups in this file. No relocations in this file. No unwind sections in this file. No version information found in this file. Interestingly, I noticed at the offset 0xd4 with length 0x it contains the below data.. Seeking further, I found the compilation environment used: But to be sure, it's nice to trail it down in reversing mode, by any tools.. Right about doing it, I got the advise that it would be nice also to make reversing video for others to learn, so I choosed IDA for this purpose because is "animated" and comprehensive: In the file listed above there is the main.
Like, how did this machine become infected and what exactly does this malware do? There are different kinds of people and organization that do malware analysis.
All of them fall under these categories:. As per information security training experts, to do analysis of malware you have to follow these steps:. Set up a controlled machine, which is not connected to your network, also you should be able to restore the machine anytime.
For environment setup you need to download the malware file first, and then you need to change its extension. As per suggestions of ethical hacking training experts, after changing the file you can copy the file in write protected disc as this can help you isolate malware in some cases.
Retrieve surface information from targets without execution. Motive of surface analysis is to get. In this step you can execute malware and monitor its behavior. You can use various automated or manual analysis methods. You can use monitoring tools on sandbox system for analysis. In static analysis you read the code in binary file and understand its functionality. You will need OS knowledge, assembly basics, efficient reading techniques and anti-analysis techniques.
If the binary code is packed you will have to unpack it. You can also check for arguments and brunch on condition. While you use a Disassembler, you can read, rename and comment instructions to understand the code.
You can learn more about Disassembler in ethical hacking training course. Encoding Obfuscation in Malware. It's a proprietary protocol for the backdoor which is not used generally. Because this backdoor uses raw socket for it's communication channel, the source address of the IP packet can be forged, and the source of command is not correct.
So, you can't trace the one who sent the command packet. If the sender of the forged packet wants to get the response back, he can set the "master" address with some command packet. Identify and explain the different features of the binary.
What are its capabilities? The binary uses a network data encoding process. And uses raw socket for it's communication. It has decoy mode, which make the traceback more difficult. Throuth operation mode 2, it sets true master server IP address. And with random number generator, generates extra 8 more IP addresses for random. Theses addresses are used as decoy IPs. So the backdoor response packet is alway sent to the 9 hosts, including one true master IP.
It has some operation mode determined by the third byte of the decrypted data. This is a test operation mode, which responds with re-encrypted packet. Then sends it through 0xb protocol packet. The password is "SeNiF".
You must type the password to use the shell. Send DNS packet to the host assigned by the command packet. It's a kind DOS attack. And eats up the bandwidth.