Thursday, November 24, 2016

IoT Malware Analysis - CnC Server - Part 3

Through the information gathered inside of the binaries I began searching for unique strings on Google.  One of the unique strings that I searched for was "HTTPFLOOD GHP".  This pulled back less than 10 results and the first one was from the site hxxp://  This contained the source code for what they called "Palkia Server.c".

This particular piece of source code was found to have been leaked on 2016-11-12 09:58:05 according to the timestamp on the paste.  I have not validated that the binary in which I found the string matches up with this particular CnC Server source code.

After looking at the source code and understanding the logic, verifying there were no backdoors and other intents to infect my systems I compiled the source code on a temporary server.  Upon execution you need to specify which port it listens on for the bot connections and the number of threads it will utilize.

After you specify the port and the number of threads it begins to listen for clients.  If a client connects the first command that it sends is a command to the client to enable the scanning of other devices through telnet.

Then the server will keep in contact with the bot by sending the string "PING" every 60 seconds.  I have noticed that some bots will receive the communication at an interval as small as 15 seconds.

Through the source code you learn that the bot can send commands back to the server that are interpreted. 

From the source code you can see 3 commands that the bot can send back: PING, REPORT, and PONG.  If the bot sends PING then the CnC server will respond with PONG.  If the bot sends "REPORT " + up to 2048 characters it will store the sent information in a file called telnet.txt.  If PONG is sent it will do nothing but continue in the loop.  Then if anything sent to the CnC does not match these 3 commands it will output it to stdout on the CnC Server with "buf:" appended to the beginning of it.

The other side of this source code is running an administration console so the bots can be controlled.  You can see in the source code that the server by default runs on port 777.

Appears that if you connect to this port you are prompted for a username.  The username and eventually password is parsed out of a file called savage.txt.  They are formatted with username, a space, and then the password.

I created this file with a test user and then a test2 user with a respective password following.  After feeling I understood the logic of the application I compiled it and ran it on a temporary server.  This allowed me to connect with a username and password.  Then from the source code you learn you can send the command "!* HELP" and it will display a quick help screen as shown below.

From the above screenshot you can see that the Attack Commands instruct the bots to conduct UDP, TCP or HTTP floods.  The KILLATTK instructs the bots to stop the attacks that they are instructed to conduct.  As someone is in the CnC Server their commands are broadcast to the bots with exception to a few.

As commands are executed in the administration side of the server they are saved to a file called server.log.  

I have placed the source code for the palkia server on my github page for further research along with the telnet emulator and a botEmulator.

Have a Happy Thanksgiving! Enjoy the Turkey!!

No comments:

Post a Comment

Prepare, Bait, Hook, Execute and Control - Buffer Overflows

This post is the third of four that I am planning to write about social engineering specifically about phishing.  The form of phishing that...