A Trojan designed to carry out DDoS attacks on 32-bit versions of Ubuntu and CentOS.
It is launched with the input parameter “-add”. The Trojan is installed on the system under the name of “pktmake”. To be installed, the malware executes the following commands:
killall pktmake
cp /home/user/guchun /bin/pktmake -f 2>&1
chmod 777 /bin/pktmake 2>&1By reading the “/proc/exe” link, Linux.DDoS.24 gets the information regarding the path to the executable file. To be launched automatically, the Trojan modifies the startup scripts.
chmod 777 /etc/init.d/pktmake
ln -s -f /etc/init.d/pktmake /etc/rc2.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc3.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc4.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc5.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc6.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc.d/rc2.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc.d/rc3.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc.d/rc4.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc.d/rc5.d/S99pktmake
ln -s -f /etc/init.d/pktmake /etc/rc.d/rc6.d/S99pktmakeEncrypted configuration data is stored in the Trojan’s body. This data can include the following information:
#pragma pack(push,1)
struct CONFIG_DATA{
DWORD SIGNATURE;
DWORD port; //C&C server port
char ip[15]; //C&C server IP
BYTE Dummy[17];
char szAppName[16];
BYTE Smth[24];
};Once launched, the Trojan starts gathering system-related information, encrypts it, and sends it to the command and control server. The encrypted data has the following structure:
#pragma pack(push,1)
struct CPU_INFO{
DWORD NumberOfCores; // /proc/cpuinfo cpu cores
char szCPUModelName[63]; // /proc/cpuinfo model name
};
struct MEM_INFO{
DWORD MemTotal;
DWORD MemFree;
DWORD Buffers;
DWORD Cached;
DWORD SwapCached;
DWORD SwapTotal;
DWORD SwapFree;
};
struct OS_INFO{
WORD SIGNATURE1; // 0x67
WORD wSize; //structure size
BYTE Dummy[24]; // 0x00
char szSmth[36]; //
char szLinux[6]; // "Linux"
BYTE Dummy1[58]; // 0x00
struct CPU_INFO CpuInfo;
BYTE Dummy2[4]; // 0x00
DWORD MemTotal; // MEM_INFO->MemTotal >> 10
BYTE Dummy3[16]; // 0x00
char szVersion[4]; // "1.4"
};To establish a connection to the command and control server, the Trojan sends it a specially generated packet (LOGIN_PACKET). The server responds with a 8-byte packet encrypted with the RC4 algorithm. The last 4 bytes from the packet indicate the size of the next packet. The second incoming packet is also encrypted with the RC4 algorithm. If the second packet contains “f” at zero offset and “1” at offset of 8 bytes, Linux.DDoS.24 sends the gathered information in the form of the OS_INFO structure to the server.
struct LOGIN_PACKET
{
WORD SIGNATURE1; //0x0065
WORD wSize; //packet size
DWORD Dummy; //0x00
char szAppName[72]; //specified in the configuration file
char szVersion[4]; //"1.4"
BYTE SIGNATURE2; //0x02
};After the system-related data has been sent to the server, the Trojan is ready to receive commands from the command and control server.
