Linux.DDoS.3

A Trojan for Linux designed to carry out DDoS attacks. It is written in С++/STL and compressed with UPX.

During installation, it reads the link

/proc/self/exe

and defines the path to its running file. The file contains the information regarding the program’s current directory. The Trojan creates its own copy and starts with the following parameters:

cp /home/user/hihjok /home/user/freeBSD
/home/user/freeBSD /home/user/freeBSD 1
cp /home/user/hihjok /home/user/hihjoka
/home/user/hihjoka

Once launched, the malware deletes its current file and extracts another file from its body replacing the original one. Depending on the launch parameters, it changes the IP address and the port of the command and control server specified in the file.

The Trojan starts as a daemon and initializes the fake.cfg configuration file:

0
0.0.0.0:0.0.0.0
10000:60000

Then it gets information regarding the infected system and sends it as a request to the command and control server:

#pragma pack(push,1)
struct OS_INFO{
    DWORD MHz; // /proc/cpuinfo cpu MHz
    BYTE is_count; 
    DWORD ip1;
    DWORD ip2;
    WORD port1;
    WORD port2; 
    BYTE os_name[0x80];
    BYTE host[0xFF];
};
#pragma pack(pop)

In return, it gets a DWORD op value.

If op equals 1, the Trojan receives the LookTask task. Once the DWORD size is determined, the bot uploads the data and puts the task in the queue:

#pragma pack(push,1)
struct CLoopTask{
  BYTE byte0;
  BYTE byte1;
  BYTE byte2;
  BYTE byte3;
  DWORD max2;
  DWORD SomeTime;
  DWORD max1;
  CSubTask SubTask[];
};
#pragma pack(pop)

If op equals 2, the task is aborted. The task status is sent to the command and control server as follows:

#pragma pack(push,1)
struct TASK_STATUS{
    DWORD max;
    DWORD index1;
    DWORD index2;
    BYTE op;
    DWORD size;
    WORD fw1;
    DWORD CPUUse;
    DWORD NetUse;
};
#pragma pack(pop)

If op equals 3, the command and control server sends the configuration data containing the task information. The data is saved to the fake.cfg file.

#pragma pack(push, 1)
struct CSubTask{
  BYTE op; //DDoS attack type
  BYTE byte1;
  BYTE byte2;
  BYTE byte3;
  DWORD max;
  WORD port;
  WORD w2;
  DWORD dwordC;
  DWORD time2;
  DWORD time1;
  DWORD dword18;
  DWORD dword1C;
  WORD port1;
  WORD port2;
  DWORD ip1;
  DWORD ip2;
  DWORD count;
  char Host[];
};
#pragma pack(pop)

If op equals 4, the TASK_STATUS message is sent.

Apart from the main cycle of communication with the server, the Trojan has 19 threads that monitor the queue of SubTask.op tasks which, in turn, determine the attack type:

• 0x80—tcp flood 1
• 0x81—udp flood
• 0x82—tcp flood 2
• 0x83—amp 1 (dns)
• 0x84—amp 2 (dns)