SHA1: c357fbcf428b07970f7a2ab26823336c5ff51f5c
A Trojan for Linux designed to mount DDoS attacks. Due to the fact that it is compatible with Linux distribution packages for ARM and MIPS processors, this program is very likely to be intended for routers.
The Trojan can execute the following commands:
| Cmd | Command |
|---|---|
| HULK | HTTP Flood |
| RAND | HTTP Flood |
| SSYN | Spoofed SYN Flood |
| HTTP | HTTP Flood (GET requests) |
| DNSQ | Attack on a DNS server using requests for domain addresses |
| TCPM | SYN Flood |
| DNSL | Attack on a DNS server using requests for domain addresses |
| STOP | Terminate a DDoS attack |
The HULK command triggers HTTP Flood with GET requests; at that, the Trojan will disguise itself as Baidu spider.
"GET %s HTTP/1.1\r\n"
"Accept: */*\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"User-Agent: Mozilla/5.0+(compatible;+Baiduspider/2.0;++http:/"
"/www.baidu.com/search/spider.html)\r\n"
"Host: %s:%d\r\n"
"Cache-Control: no-cache\r\n"
"Pragma: no-cache\r\n"
"Connection: Keep-Alive\r\n"
"Keep-Alive: %d\r\n"
"\r\n"The RAND command triggers HTTP Flood with GET requests; at that, a package will be generated. It can look as follows:
"GET %s?%d=%d HTTP/1.1\r\n"
"Accept: */*\r\n"
"Accept-Language: zh-cn\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"User-Agent: Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)\r\n"
"Host: %s\r\n"
"X-Forwarded-For: %d.%d.%d.%d\r\n"
"Connection: Keep-Alive\r\n"
"\r\n"A randomly generated IP address is taken as a value for X-Forwarded-For.
The difference between DNSQ и DNSL lies in the way requests are generated—that is, to execute the DNSQ command, the Trojan generates packages by itself, while to create requests for the DNSL command execution, library functions are used.