Here we are going to mention two that we consider interesting to show and describe: Reverse Proxy and Killer functions. These addresses are in plain-text in the main function of the bot (Figure 1).ĭark Nexus presents new techniques as well. For example, the function retrieve_c2_server (Mirai’s retireve_cnc_addr) was adapted to resolve more than one C&C address. Dark Nexus on the other hand shows passwords, usernames, command-and-control endpoints, etc. This table is the one in charge of converting encrypted or obfuscated strings and data to its normal state, be it integers or strings. That’s the case of the encrypted data table.
BITDEFENDER FREE DOWNLOAD IS TAGGED BY VIRUSTOTAL CODE
The downside of reusing Mirai’s codebase is that some of the favorable aspects of its code are often ignored. rand_port, retrieve_c2_server or attack_tcp_raw) are based on original Mirai functions but modified to fit the necessities of the author. These functions were scrapped verbatim from the original Mirai source code and the matches have been found by comparing the function symbols from both the source code and the binary sample. Struct resolv_entries * resolv_lookup(char *domain) Void resolv_entries_free(struct resolv_entries *entries) Uint16_t checksum_tcpudp(struct iphdr *iph, void *buff, uint16_t data_len, int len) Uint16_t checksum_generic(uint16_t *addr, uint32_t count) Void attack_udp_plain(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts) By comparing this unstripped sample to the codebase of Mirai we can see what was reused:
0 kommentar(er)
