Linux.DDoS.24

A Trojan designed to carry out DDoS attacks on 32-bit versions of Ubuntu and CentOS.

It is launched with the input parameter “-add”. The Trojan is installed on the system under the name of “pktmake”. To be installed, the malware executes the following commands:

killall  pktmake
cp /home/user/guchun /bin/pktmake -f 2>&1
chmod 777 /bin/pktmake 2>&1

By reading the “/proc/exe” link, Linux.DDoS.24 gets the information regarding the path to the executable file. To be launched automatically, the Trojan modifies the startup scripts.

chmod 777 /etc/init.d/pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc2.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc3.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc4.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc5.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc6.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc.d/rc2.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc.d/rc3.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc.d/rc4.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc.d/rc5.d/S99pktmake
ln  -s  -f  /etc/init.d/pktmake  /etc/rc.d/rc6.d/S99pktmake

Encrypted configuration data is stored in the Trojan’s body. This data can include the following information:

#pragma pack(push,1)
struct CONFIG_DATA{
    DWORD SIGNATURE;
    DWORD port;  //C&C server port
    char ip[15];  //C&C server IP
    BYTE Dummy[17];
    char szAppName[16];
    BYTE Smth[24];
};

Once launched, the Trojan starts gathering system-related information, encrypts it, and sends it to the command and control server. The encrypted data has the following structure:

#pragma pack(push,1)
struct CPU_INFO{
    DWORD NumberOfCores; // /proc/cpuinfo cpu cores
    char szCPUModelName[63]; // /proc/cpuinfo model name
};
struct MEM_INFO{
    DWORD MemTotal;
    DWORD MemFree;
    DWORD Buffers;
    DWORD Cached;
    DWORD SwapCached;
    DWORD SwapTotal;
    DWORD SwapFree;  
};
struct OS_INFO{
    WORD SIGNATURE1; // 0x67
    WORD wSize; //structure size
    BYTE Dummy[24]; // 0x00
    char szSmth[36]; // 
    char szLinux[6]; // "Linux"
    BYTE Dummy1[58]; // 0x00
    struct CPU_INFO CpuInfo;
    BYTE Dummy2[4]; // 0x00
    DWORD MemTotal; // MEM_INFO->MemTotal >> 10
    BYTE Dummy3[16]; // 0x00
    char szVersion[4]; // "1.4"
};

To establish a connection to the command and control server, the Trojan sends it a specially generated packet (LOGIN_PACKET). The server responds with a 8-byte packet encrypted with the RC4 algorithm. The last 4 bytes from the packet indicate the size of the next packet. The second incoming packet is also encrypted with the RC4 algorithm. If the second packet contains “f” at zero offset and “1” at offset of 8 bytes, Linux.DDoS.24 sends the gathered information in the form of the OS_INFO structure to the server.

struct LOGIN_PACKET
{
    WORD SIGNATURE1;    //0x0065
    WORD wSize;         //packet size
    DWORD Dummy;        //0x00
    char szAppName[72]; //specified in the configuration file
    char szVersion[4];  //"1.4"
    BYTE SIGNATURE2;    //0x02
};

After the system-related data has been sent to the server, the Trojan is ready to receive commands from the command and control server.